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Abstract 


Soon after Leustra gav(' an algxjrithin for integer factorization using elliptic curves, Miller 
and Koblitz independently demonstrated the application of elliptic curves in public key 
cryptography. Initially the elliptic curve ])ul)lic key cry])1.osystenis were thought to be im- 
practical, but over tin' last 10 ycsus, edbrt.s of Meiu'/es, Vanst.one and Koblitz have changed 
the scenario. In cont.einpoiaiy cryi)togra.i)liy, ('lliptic curv(' public key cryptosystems are 
being considered as a suitable' alternative to existing USA cryptosystems as they promise 
higher security with shorter keys. Shorter keys lead to reduction in storage requirements. 
Moreover, the complexity of hardware, reciuired for imph'uiention of elliptic curve public key 
cryptosystems, is ndativrdy h'ss as the siz(^ of working li('ld is rc'latlvcdy small. Both of these 
factors make elliptic- curve's suit, able for smart c^ird iuiph'inental.iou. 

Security, throughput and complexity of t.lu' .systc'in are tliree important aspects of a 
cryptosystem design. In this l.lu'sis, we discuss the' tlu'oiy of ('lliptic curves to develop algo- 
rithms for constructing noii-su{)ersiugular ellii)tic curve's ()V('r finite fields which are suitable 
for secure cryptosystc'ms. The algorithms an' basc'd on Lay & Zimmer’s scheme (which is 
modified version of Atkin 8z Morain’s scIkuiui) and ha.v('. b('('n gcnu'ialized to include sev- 
eral different cases. Rc'levant tluarry for eonstniction of elli{)tic curves suitable for public 
key cryptosystems has been given in detail. The elli{)t.ic cmcTs have also been discussed 
for ctertain numlx'r tlu’orc'tic probhnns, such as intc'gc'r factorization and primality proving. 
Thesis also discuss('s various issue's relabHl to efficient implementation of cryptosystems in 
gciK'ial and smart cards in ])a,i ticular. Our major ('nii)hasis is on optimizing the memory 
requirements and comph'xity of moduhes, peuforming ai ithnu'tic in underlying finite field. 
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Chapter 1 
Introduction 


The fundaniental goal of (‘rypt'egraphy has Ixm'ii f,o provich' s('cur(' (H)mmuiiicatioii over an 
insecure channel siu-h that only intended recipient can rc'ad the message. Earlier, the scope 
of cryptography was consid(n(Ml to he limited to inilif.ary and diplomatic communities, but in 
this age of universal electronic connectivity, the explosive growth in computer systems and 
their interconnections via networks has increased the (h'pc'nflence of both organizations and 
individuals on communicating information through an op('n nKulium. This together with 
incre^asing demand of automated financial transactions on lud, works has led to a heightened 
awareness of the need to prot.ec.t data and r(«ourc('s from disclosure, which, in turn, has 
boosted the cause of cryptography. For some of the iiibu esting applications of cryptography, 
see [Sta95, Sch93, Sim91, Omu90]. 

In cryptographic terminology, the process of encoding the data so as to hide its substance 
is called encryption, wher('as tlu^ decoding procr’ss is callcHl decryption. Digital signa- 
tures, electronic analog of handwritten signatures, are used for i)roving sender’s identity to 
receiver. This process is called authentication. Authentication is often required whenever 
the access over any system is to be restricted. 

Until 197G, when Diflie and Heilman [DII7G, D1179] inl.roduccKl the concept of public key 
cryptography, the symmetric key cryi)tosystems werci tln^ only means of achieving objectives 
of cryptography. In symmetric, key cryptosystfuns, a singl(! k(!y is uscxl for both encryption 
and decryption. Moreover, the sender and receiver must possess the secret key. This leads 
to the problem of key distribution as initially a secure channel is required to communicate 
the secret key. Moreover, the management of the keys is also a big problem as for any two 
users a different secret key is to be used. The i)ublic kt'y cryi)tosystems solve both of these 
problems by using separate keys for encryption and decry])tion. 
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1.1 Public Key cryptography 

I'lu' invc'iit.ioii ()l public k(‘v ci s i>l ofp npliy by I )iilic and I l('lliiiaii added iievv dinieiisioii t,o tho 
field of cryptograi)hy by iultodiiciiig tlx? use of (.wo keys for ('iicryjjl.ioii and decryption. The 
encryption key is made public, while the decryption k('y is k('pt secret. Since the encryption 
key is public, anyl)ody can use it lor (uunyptiou. Ilow(’v('r, only an authorized receiver who 
possesses the secret decryption key, is able to decrypt, tlx' mc'ssage. Consequently, the public 
encryption key can lx; dist.ribul.c'd without S(Hairit.y conc('rns. 'Phis resolves the problem of 
distributing the lu'vs. Kew maiiag<'m('nt also Ix'comes ('asier b('caus(' j)ublic keys are used for 
encryption which are not supj)os('d l.o b(^ lu'pt s('cre(,. Publie key cryptography also makes 
possible the use of digital signatures which is not possible in case of secret key systems. 

Security of the public key cryi)tosystems dei)ends ui)on the difficulty of finding the private 
key from public key. For this, Dillie and fh'llman exi)loit('d intractability of the discrete 
logarithm problem in a large finil.c' multiplicative grouj). This discret.e logarithm problem 
(DLP) refers to computation of x such that = b for two givcni elements a and b in a finite 
group G. The value for x is calh^d a logarithm of b to tlu' base a, and is denoted by log^ b. 
This problem is considered to be very dillic.ult if the ord(’r of tlie, group G is very large. In 
fact, the difficulty of this probhun is also la.rg(dy r(‘la.t('d to t,h(^ repres(uitation of group and 
the complexity of binary opeuation deliiu'd in it. 

Although, the Diflic^ and Ihdlman sugg<'st,(Hl only discrel,(^ logarithm prol)lem for cryp- 
tography, this idea can be extended to any mathematicail problem in which the forward 
computation is very easy but the reverse comj)utation is known to be very difficult. Rec- 
ognizing this very fact, in 1978, Rivest, Shamir and Adhunan proposed RSA algorithm for 
public key cryi)tography which is based on the dillicaiK.y of farh.oring large composite num- 
bers. In 1985, ELGamal gave an explicit methodology for using the DLP in implementing a 
fully functional cryptosystem [E1G85]. 

Other than cryptography, the idea of public key cryptography also had a sound impact on 
the research in computational number theory and otlu-r l.opics of mathematics. Nowadays, 
various problems of comi)utational theory, i.e. integiu- factorization, primality testing, DLP 
etc, are being lookc’d with gi ('at int('rest as tlx^ sc'c.urity of public, key cryptosystems is directly 
related to them. 

1.2 Implementation Issues of Cryptosystems 

From the point of view of im])l(un(uita.tion, the symuKh.ric k('y systems are preferred over 
public key cryptosystems as they are much faster and their VLSI implementation is very 
easy. Hence the use of hybrid system is also recoinnKnuh'd in which encryption is done 
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with a symmetric key algorithm, but each time a difFerc'iit kc'v is usc'd and this key is sent 
along with the message by encr,yi)ting the secret key by a public key algorithm. But in 
applications which mainly n'ciiiirti authentication it is desirabh' to have a cryptosystem on a 
single integrated chij) which can ])eifbnn tlu' aril.Iimelae r('(|uired for public key algorithms. 

Nowadays, the issue of major concern is to (hwc'lop a, smart card which is like a credit card 
but contains memory and proc('ssing capabilities. TIk; smart card, in fact, is a multipurpose, 
tamper resistant security device which is eciuipjx'd wit.h volatile and non-volatile memory 
and a micropnu^essor for carrying out the (X)mputa(,ions for c'ucryption and decryption. The 
basic advantage of tlui smart card is that tlu' s('.cr(d, kc'y of the user is stored in a nonvolatile 
memory and never heaves the card. All th(' procc'ssing reciuircHl for encryption and decryption 
is done on the card itself. Henvever, the kind of computations feasible by current cards are 
quite limited due to their relatively slow processing power and limit('d memory. Improving 
the speed of those chwicc's is a ven y challenging task. 

While selecting a public, key algorithm for smart cards, various issues should be taken into 
consideration, most important ones being storage and processing reciuirements. Significant 
advances have also Ixion mad(g in theory and in prac-l icc', on teclmi(iu(;s for efficient imple- 
mentations of theses crypl.osystems, including, custom VLSI chips [()SA99, VVD.J99, Bri89] 
and very efficient digital signal processor soCtwan' imph'itH'iitations of modular arithmetic 
for RSA [DJ91], and custom VLSI c.hii)S for aritliiiK't.ic opfuation in ElGamal cryptosystem 
in GF{T) [AMOV91, WTS+85, WP9(), Fen89]. Prescmtly, the RSA is being used widely 
for smart cards as it requires modular exponentiation for both encryption and decryption. 
Keeping in mind the present state of computational t(M:hnology, the RSA system requires 
modular arithmetic of at least 512 bit integers. So far various chips [()SA99, VVDJ99, Bri89] 
have been designed for this purpose and the maximum throughput achieved is in the range 
of 78kbps/20Mhz^ [OSA99]. For d(!crypt,ion, higluu' throughputs have been claimed using 
Chinese remainder theorem which uses the (secret) factors of modido integer for decryp- 
tion [DJ91]. But und('r tlu^ n'cent imi)rovem(’nt in inlcg('r factorization and parallel process- 
ing, the security of these systems is facing a s(!rious thix'at. Recently, Lenstra et al were able 
to factor a 450 bit composite integer using distribut(Hl proca^ssing. Ihmce, for the cryptosys- 
tems to be secure the size of th(^ modulo int(;g(us ikhhIs t,o be increased further. But this 
leads to various VLSI implementation related problems as the arithmetic with such large 
size integers is very difficidt in hardware and moreover, more space will be required for key 
storage. 

Because of all these reasons, alternativ(!s an^ Ixnng lookc'd with great interest. Since 
it is known that for a public key cryptosyst<'.m based on discrete; logarithm problem in a 
multiplicative group the size of the group need to be approximately 2™°, they are no better 
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than RSA system. Ilecxmt studic's of diserete logaiilJim prohh'ins in elliptic curve groups 
suggest that elliptic curve cryptosystems will l)e a propc'r sul)stitute for RSA in future as 
they give better sc'.curity for shorten- lu'ys and are suitable' for smart card implementations. 


1.3 Elliptic Curve Cryptsystems 

Elliptic curve cryptosystems were first proposed by V. Miller and N. Koblitz independently 
in 1985. The set of pe)ints e)n a.u e'lli|)tie- curve e)ve'r a finite fiedel take's an abelian group 
structure. The binary ope'iatieju for this abediau gre)up iuveelvcis few basic operations in the 
field over which the curve is defined. It was found by Miller and Koblitz that the discrete 
logarithm proble>m in an abe'lian gre)up e)f (dli])tie: enii ve' oven- a finite field is much more 
complex than that ovc.r the' lie'lel itself. Altheuigh tlu'ie' are' se'venal algeuithms for finding 
logarithm in a finite fiedel but thene se'ems te) be; ne) pre)pe'r e-he)ie:e for (elliptic curve group 
(set of all the leoiiits) othen- than the few, which are; ai)pli(-.al)le over any arbitrary group. 
Hence, an elliptic curve providees a group which is dedineel over a much smaller field. In 
othen- words it renpiire's le'ss steuage; a,nd aritlime'tie- eef smalle'r size' edennonts, and still gives 
better security than RSA. Drastic renluctie)!! in e-ireniit e-e)mpl('xity anel storage reeiuirements, 
and intractability of discrete leegarithm problem in the' (dli])t,ic. curve group, make them a 
suitable candielate; for smart enuel cryi)te)systenns. Ane)l,lien' arlvantage with elliptic curves is 
that for any given field there are plenty of choiccis for e'lliptic curves. Hence, a processor 
designed to perform the arithmetic in a finite field can l)e used in different elliptic curve 
based cryptosystems which reciuires arithmetic in that Ii(dd. 

1.4 Objective of Thesis 

In this thesis, we discuss various design and imi)lem('ntation issues connected with elliptic 
curve cryptosystems. Our aim in this th(;sis is to construct ('.lliptic curvcis which are secure 
against all the existing attacks and discuss various issiuis redated to their efficient implemen- 
tation. For this we discaiss various t(Hdmi((n(;s for ('ffici(;nt aritlmuddc in GF(2") and GF{p), 
both for software and hardware imphnneutatiou. Ibxlncl.ion in the size of underlying field 
for elliptic curve cryptosystems maluvs them suitable for smart card implementations. We 
also discuss design aspecds of (dliptic curve based smart cards, sp(!cially the selection of finite 
fields and curves to minimize the; storage; and comi)utat,iona.l reeiuirements. Apart from this, 
elliptic curves also provide (;(lic.i(;nt ways of factoring large intevgers and priniality proving. 

In this thesis, we pay considerable attention for the the theory of elliptic curves and their 
arithmetic to understand their applicability in both cryptogra,i)hy and cryptanalysis (integer 
factorization). 



1.5 Organization of Thesis 


The thesis is organized into 8 chapters, including the [)res(nit one. Chapter 2 discusses the 
theory of elliptic functions and elliptic curves over C to ol)tain the elliptic curves over finite 
fields. In Chapter 3, we discuss the discrete logarithm problem in elliptic curve groups and its 
application to cryptography. Chapter 4 presents algorithms for construction of supersingular 
and non-supersingular elliptic curves for public key cryptography and also discusses various 
implementation issues. In Chapter 5, certain elliptic, curves based number theoretic algorithms 
have been discussed. Chapter G deals with efficient implementation of elliptic curve public key 
cryptosystems and smart card design. Various implementation results have been discussed 
in Chapter 7. Chapter 8 concludes the thesis. The thesis also has four appendices A, B, C 
and D which give brief introduc.tion to theory of modular forms, algebraic number theory, 
class field theory and alg(!bra,ic gr'ometry resp('ctiv('ly. 



Chapter 2 

Theory of Elliptic Curves 


The theory of elliptic (uirves is a, beautiful and vast, body of knowledge. The scope of elliptic 
curves stretches to various advance topics in inatheiuatics like Algebraic Number Theory, 
Algebraic Geometry, Complex Analysis etc and Innicc’, Ifu're are several ways to study them 
and their arithmetic,. Our aim in this chapter is to study the theory of elliptic curves (over 
C) to obtain ellii)tic curves over finite fields GF'{p) and GF{2") for constructing efficient 
and secure cryptosystems. Here, we begin with the theory of elliptic functions in context 
to Weierstrass’s work for solving the elliptic integral and tlnui, concentrate over elliptic 
curves and their relationship witli ([uadratic imaginary fields. In tin; first section, we discuss 
Wehirstrass’s elliptic function p{z) as a tool for solving tlu' ('llii)tic integral problem. 


2.1 Weierstrass’s Elliptic Function p{z) 


Geometrically, elliptic curve are not related to ellipse, as it appears from their name. But 
they evolve naturally in the process of computing the inverse of an elliptic integral [SegSO, 
Apo76, Cha88] which is come across in computing the arc length over an ellipse. The elliptic 
integral is an integral given by 


/ 


dx 

s/x'^ + ax 4- b 


wlnue a,b E C 


By computation of iimuse of elliptic int(!gral, we mean tln^ computation of the angle sub- 
tended by an arc of given length over an ellipse. We will see that this problem helps us in 
setting up a relationship between elliptic curve over C and complex field C itself. Let us 
define the memiorphic function [Seg80, Ahl79] as the first step for solving this problem of 
inverting elliptic integral. 


Definition 2.1 A mcrmoiphic fxinction is an analytic, function with isolated singularities 
over a region Q.. 
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Our interest is in doubly periodic monnor])hic functions [Apo7C, Sil85, PS93, SegSO] 

Definition 2.2 The doubly periodic rnerynorphic ftmetions are called elliptic functions. 

The set of all the periods of an elliptic function is called a lattice and is denoted by A. 
Any pair of periods (a;i,a;2) is called the basis of tlui lattice if any w G A has the unique 
representation u) = iiiuji + for 111,11.2 eZ. Hence 

A = -|- Zcj2 

It is clear that the whole complex plane can be covered l)y a network of non-overlapping 
similar copies of (fundamental) iniralhdogram formed l)y vertices 0,a;) ,W2 and u)i+'lo2- The 
lattice A with basis (011,^2) is, in fact, the s(!t of verticc^s of this network of parallelo- 
grams [SegSO, Sil94]. 

Two lattices Ai, A2 are called homothetic [Sil94] if Ai = CA2 for some c€C. If and 0)2 
are selected such that ^{u)i/u)2)> 0 then A will be given by (uj)to homothety) 

At = Zr + Z, wlici'c r — uj\/u}2. 

Since elliptic functions are periodic with tOy and U2, we will concentrate over the fundamental 
parallelogram only. The next lemma dc'seribes the nni(iu('ness of a lattice [Apo76, Sil94]. 

Lemma 2.1 (a) Led A€C he a Uittice and (00^,012) o,nd (u!\',uj 2) be two oriented bases for 

A. Then 

UJ\ — flCJj "h hu}2 
U}2 — CU)\ T dliJ2, 

where ad — be = ± 1 . 

(b) IfT\ andT2 lie in upper half of complex plane, then the lattices Kj, andAr^ are homothetic 

iff 

7- = \ and ad — be = ±1 

CTi + d 

(c) Every lattice A can be written upto homothety as A^ = Zr -t- Z for some r in upper half 

of complex plane. 

Hence we see from this theorem that two lattices will be homothetic ( similar in some sense) 
if and only if corresponding bases can be .ussociated with a unimodnlar transformation. Now 
we state some of the important prop(u ties of of elli[)tic functions which will be required for 
the construction of Weierstrass elliptic function p{z) [Ahl79, S('g8(), Sil85]. 
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properties of elliptic function with lattice A; 


1. An elliptic function without poles is constant. 

2 . The sum of the rcsicliuis of an elliptic function is zero. 

3. A non constant elliptic function has (vina.1 nninbcu’ of poh’s and zeros, and zeros 
oi, 02 , . . . , On poles bi,b 2 , . . . , bn satisfy 

Oi + 02 + . . . + On = 6] +1)2 + ... ■+ bn Hiod A 


4. The derivative of any elliptic function is also elliptic with the same periods, and hence, 
with the same lattice. 


5. Elliptic functions takes all the values in C. 


In view of these properties, we construc.t an elliptic function with double poles at all the 
lattice points [Cha88, Scg80, Ahl79]. This function is calked Weierstrass elliptic function and 
is denoted by p{z). 


weA,u;#0 



The Weierstrass function cum (easily Ixi v('rifi<'d to j)ossess all the; proixiities mentioned above. 
Differentiating this formula, we get 


p'i^) = - E 

a)€A 


1 

{z-wy^' 


which is again an elliptic function with the same lattice, but with a third order pole at all 
the lattice points. By simple algebraic manipulation, it can easily be shown that following 
equation holds 

= -ry2(A)f.(^.)-,7:,(A), 

where ^2(A) = 60G4(A) and (73(A) = 14UG6(A). We call this equation the elliptic curve 
equation [IR82, Cha88, Sil85, Ahl79]. The function G2A:(A) is a. modular form of weight 2k 
and can be expressed in a series expansion (Eisenstieu seri('s) 

G2a(a) = E (t^)- 

For a brief introduction to modular forms i)le<ise sca^ Appendix A. 

Before proceeding further, we set an ohj(!(:tiv(i of studying the maps which will take an 
elliptic curve into itself. We shall discuss these maps in (k'tnil lat('r on. Now, we come back 
to the problem of elliptic integral and see how it helps us in achieving this objective. 
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The Weierstrass elliptic, curve ('(piatioTi is a firsl. order diflcrential ecpiation. Substituting 
X =p(z) and integrating both side;, we get 

/■o(^) (1.x 

z- Zo= / . ... , 

“'p(zo) — .92(A).t — .(/.■i(A) 

where the path of intc'gratioii is thc^ imag(' uiuha- p of a. path from zq to z that avoids the 
zeros and poles of p'{z), and where the sign of the sciuare root must be chosen so that it 
actually equals p'{z). It should be noti(H'd that int,(^gral ou right hand side is an elliptic 
integral. Hence, we have solved the problem of inversion of elliptic integral because for an 
arc over an ellipse with end points z and Zq, the angle subtended at the center of ellipse will 
be given by p(z)-p(zo). 

Since p{z) takes all the valiums (proixuty 5) in th(^ complex plane ( henc.e in fundamental 
parallelogram if taken modulo A), a one-to-one map exists between z and p(z), both taking 
values in fundamental paralh'logram when reduced modulo A. Ihue, it should be noticed 
that p{z) along with p'{z) (with an approi)riate sign) defines a point on the elliptic curve E. 

E: - g2{A)x - .(/^(A), 


where x —p{z) and y = p'{z). 

The following theorem says that the one-to-one map mentioned above is, in fact, an 
isomorphism [Sil85]. 

Theorem 2.1 (d) Let AeC be the Inttice yenemted by lO] <md (or (Kiuivalently 1 and r , 

with T = (X 1 /LO 2 ). Then the map 

J^:5a(C) — 5- C/A 

dx 

HP)= / —mod A 
Jo y 

with V = {p{z), p'{z)) arid point at infinity O, is a complex analytic isomorphism. 

(b) It’s inverse map is given by 

(f>:C/A Ea{C) 

z I — t (j){z) = (^.)(z), p'{z)) 

This theorem is very important fis it establishes an isomorphism between complex lie group 
C/A and E\. Hence, now we will study complex lie group C/A to make deduction about 
the elliptic curve group Ea- Since the complex lie group of all the lattices, which are 
hornothetic to A, is isomorphic to C/A, the abov{' t.h('or('in h'nds us t.o a v('ry important result 
which says that elliptic curves corr('sponding to honiothctic lattice's will be isomorphic. The 
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generalization of this concept is quite immediate and can easily be extended to isomorphism 
classes of elliptic curves [Sil94]. If we denote by C the set of all the lattices in C 


C = {Lattic.('S in C}, 


then the above discussion can be summarized by an isomorphism map 


£/C* 


{elliptic curves defined over C} 
C-isomorphism 


= ecce. 


In the next section, we see how this map helps in achieving the objective we set earlier in 
this section. 


2.2 Elliptic Curves over C 


According to discussion in sciction 2.1, if two lattic.(;s are liomothefic tlnui the corresponding 
elliptic curves will be isomorphic. H('nco, if we want to dc'.tenniiie whether two elliptic curves 
E\ : + a^x + b\ and E 2 : = x^ + a^x + 1)2 are isomorijhic or not, we need to first 

find the periods of corresponding lattices. This can Ix^ done by identifying basis (71,72) 
of homology group if(E(C),Z) for Ei and E 2 and tising tln^ map given in Theorem 2.1 for 
computation of basis {coi,u) 2 ) of (■orr(\s[)onding lattic(!S [Alil79, SilSr)]. 

f dx r dx 

0)1 = / 0)2 =/ — 

■n\ y ■'n y 


If the corresponding lattic.c^s ar(' homothetic th('n the Iavo curves will be isomorphic. 

Now, a natural ciuestion to lx; ask<^d is wlud.her tluue is simpku’ way or not. The answer to 
this question comes from the theory of modular forms [Apo7G, PS93, Sil94, SegSO]. We know 
that modular functions (modular form of weight 0) are invariant functions for a homothety 
class of lattices (Please see Appendix A). Hence if we can obtain a modular function from 
modular forms 52 (A) and OsiA), which are coefficients of elliptic, curve equation, then we can 
obtain a parameter which wilt be invariant for an isomoiphism class of elliptic curves. The 
Klein’s j(A), referred as y-invariant, is such a function. 


i(A) = 1728 


A(A) 


where A(A) = gli^) ~ 27<7;}(A) is called discriminant and is a modular form of weight 12. 

Now, let’s see Uniforrnization Theorem which, together with the above discussion, gives 
the desired result [Sil85, Sil94|. 
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Theorem 2.2 (Uniformization theorem of elliptic curves over C) Let a, h €C satisfy 
4a^ + 276^ ^ 0 , then there is a unique lattice AgC such iha.t 


The map 


. 92 (A) = —4a. and . 9 ;j(A) = —4/;. 


C/A — ^ /iV = ;/:•' + a.r + /;, 


is a complex analytic map. 

This theorem does the important task of parametcniziug the curve. The discriminant and 
j-invariant of the curve E are given by 

A(E) = -16(4/’ + 27&^) and j{E) = -1728(4a)'VA(E) 


Now, since any elliptic curve over C is uniciuely idenj,iIi(Kl by its j-invariant, E\ and E 2 will 
be isomorphic if and only if their j-invariants are same. TIk; next proi:)Osition summarizes 
much of the preceding discussion [Sil94]. 

Proposition 2.1 There are one-to-one correspondences between the following sets, given by 
identical maps 


eCCc 4— £/C* — 4C 

{Ba} {A = A.}^j(r) 

Here A,. = Zr + Z, {E^} denotes the ^-isomorphism classes of elliptic curves Es. : y"^ = 
4x^ — g 2 {A.)x — ^ 3 (A), and {A} is the homothety class of A. 

Before discussing another very important property of j-iiivariaiit, let us first define field of 
modulii [Sil94]. 

Definition 2.3 Let {E} G ECLc and K gC. We say that 1C is the field of definition for 
{E} if there is an elliptic curve Eq G{E} such that Eq is defined over JC. We say that K is 
the field of modulii for {E} if for all the automorphisms a G Aut(<C/Q) 

E^ G {E} iff a acts trivioMy on JC 

Though this definition does not guarantee the exiHt(uic(^ and uui(|U(Mi(!ss of field of modulii for 
an isomorphism class of elliptic curves, it is so. In fact, there are finite number of isomorphism 
classes which have the same field as field of modulii and all of tlu'se isomorphism classes have 
complex multiplication by an order' in imaginary (juadratic fi(dd (explained later). The next 

^The term order is used iu two eouU^xts iu this tluwi.s, for a ring in imaginary {juadratic field and for 
number of point of elliptic cm vra. 
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proposition, the proof of which is quite eleiueiitary, gives a very important result which 
relates the y-invariant of the isomorphism class to the field of modulii. 

Proposition 2.2 Let {E} 6 £CCc- 

(a) Q(j{E}) is the field of rnodvMi for {E}. 

(b) Q(j{E}) is the minimal fi, eld of definition for {E}. 

The importance of this proposition will become obvious later when we will identify an iso- 
morphism class of elliptic curves by an elliptic curve over its field of modulii <Q{j{E}). Now, 
we come to the objective set in Section 2.1, i.e. study of maps on elliptic curves [TV91, 
Sil85, Mor93]. 

Definition 2.4 Let Ei o,nd E 2 be elliptic, cvxves. Aji isogeny between Ei and E 2 is a mor- 
phism 

(j): El — > E2 

satisfying (j){0) 1 — > O. Herr. O is point at infi/nity. 

We shall see later that E takes a structure of group and O acts as identity in that group. 
Presently, we proceed further with this assumption. 

The set of all the isogenies, which take an elliptic curve into itself, i.e. set of all the en- 
domorphisms, takes a ring structure in a natural way and is called endomorphism ring of 
E [Ono90, Sil85, Mor93, Cha88]. 


End{E) = {<A : (l){E) C E} 

As stated earlier, we are interested in studying the endomorphism ring of an elliptic curve. 
Now the importance of Theorem 2.1 is clear as the isomorphism between E/A and C/A shows 
that we can, instead, study all the homomorphisms of C/A and can make deduction about 
the endomorphism ring of E/A. This will lead us to a (piadratic imaginary field through the 
notion of complex multiplica, tion [PS92, Sil85, Sil94, BCh'^GG, Shi71]. 

Let Ai and A 2 be lattices in C. If a gC has the property that aAj C A 2 , then the scalar 
multiplication by a 


C/A 2 

z I — > mod A 2 

is clearly an analytical homomorphism. The next theor(!m shows that these are essentially 
the only holomorphic {analytic) maps [PS92, Sil85, Cha88]. 
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Theorem 2.3 (a) The association 

{a G C ; oAi C A 2 } — > {holomorphic maps (p : C/Ai — >■ C/A 2 = O} 

a — 5 ^ (pa 

is a bijection. 

(b) Let El and E 2 be the elliptic curves corresponding to two lattices Ay and A 2 . Then the 
natural inclusion 

{isogenies a : Ei E 2 } — > {holomorphic maps (p : C/Ai — >• C/A 2 <P{P) = 0} 
is a bijection. 

This theorem strengthens the foregoing argnnu'iit and motivates us to study the set of 
all endomorphisms of complex lie groups C/A to det.cnininc the structure of endomorphism 
ring of E. 

2.3 Complex Multiplication 

Now, we shall study elliptic curv('s with complex multiplication. This section requires el- 
ementary knowledge of algebraic number fields (esp. Quadratic imaginary fields) [PS93, 
Ros94, IR82, Hec93] and their abelian extensions, i.e. class fields [PS92, Coh78, BCh'''66, 
Sil94]. An introductory overview of these toi)ics is givcui in Appendices B and C. We be- 
gin with a theorem which will help in defining the l.eim complex multiplicatio for elliptic 
curves [Sil85, BCh'''66, PS92]. 

Theorem 2.4 (a) Let E be an elliptic curve over a field K and let rnGZ, m-^O.Then the 

multiplication by m map 

[?n] :E—¥E 

is non- constant. 

(b) The endornorphi’nn ring End{E) is an integral domain of characteristic 0. 

(c) The endomorphism ring of an elliptic curve is either isomorphic to Z or an order in a 
quadratic imaginary field or an order in quaternion (dgebra. 

It can be shown for K =C that Erid{E) can not Ix' an ord(U' in (luaternion algebra. If K is 
a finite field then End{E) will be strictly larger than Z [Shi71, Cha88, Sil85, PS93]. 

Definition 2.5 If for any elliptic enrne the. endomorphism ring is larger than Z, then we 
say that the elliptic curve has complex rmdtiplication or CM in short. 
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Elliptic curves, with their endomorphism ring isomor{)hic to an order in quaternion al- 
gebra, are called supersingular elliptic curves [Men931), Sil85]. Since our final goal is to 
construct non-supersingular elli])l,ic. curves ovcir (iiiite (i(^ld (C!ha,p(,er 3 and 4), we concen- 
trate over elliptic curves with complex multiplication. 

To explain the isomorphism between End{E) and an order O in an imaginary quadratic 
field /C, we conn; back t,o wlia.1. w(^ disctissc^d at tlie ('iid of Section 2.2. 11 we can somehow 
find all a E €■* such that 

: C/A — t C/A, 

then that set (in fact, ring) will be isomorphic to End[E). In other words, we are interested 
in finding all ct G C* such that 

ttA C A. 

Here, we need to introduce tln^ (piadratic imaginary lic'Id (See y\ppendix B) [Ono90, Ros94, 
Dav80]. It is not diflic.ult to obs('.rve that <^acli rracl.ional idt'al in an order O in any quadratic 
imaginary field K,, is equivalent to a lattice [Sil85, Cha88, Hec93, Ros94]. The basis of any 
^-fractional ideal will be same as that of a lattice. Now if, instead of lattice, we consider 
an O-fractional ideal of an appropriate imaginary (juadrat.ic (i(dd /C then by the definition of 
the 0-fractional ideals, the required set will olwiotisly bc^ order O. Hence, we have proved 
following corollary [Sil94]. 

corollary 2.1 Let E/C be an elliptic curve unth complex m,ultiplication by a ring O eC. 
Then the following map is an isomorphism 




End(E) 


and the ring O can be ide7itified as an order in an quadratic imaginary field K.. 


Now, we will concentrate on isomorphism classes of elliptic curves which have same endo- 
morphism ring, i.e. have complex multiplication by same order O [Sil94]. 


scj:[o) 


{Elliptic curves E/C with End{E)'= O} 
isomorphisms ()V(U' C 

(Lattices Awith (rn : (vA C A, cv G Cj = 0} 
homothety 


Since each O-fractional ideal can be looked at as a latticey each non zero (9-fractional ideal 
can be associated with an elliptic curve with compkex multiplication by O. On the other 
hand, since homothety class of lattices gives a set of isomorphic elliptic curves, 0-fractional 
ideals a and ca (c G O) will give the same elliptic curve in £C£.{0). Hence we can easily 
deduce that each ideal class in chiss group of ordtu' O can Ix' associated with an isomorphism 
class of elliptic curves in a unique way [PS93, Sil85, Shi71, BCh'*'CC]. 
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If a is a fractional ideal of a quadratic iiuagiiiary fic’.ld we denote by a its ideal class 
in CjC(O). The following map is a bijcction 

CjCiO) — > £££(0) 

a — > E„ 

Now, we are heading towards the main result which is r(ilat(ul to ring class field. In the 
literature usually, the main result is stal.ed first and tluni provtxl. But, since the proof of 
main result is very complicated, we shall follow a rather different approach such that the 
statement of main result evolves naturally and docs not require any proof. This surely 
requires good understanding of the concept of alg(d)raic number fields and class fields. 

We know that we can associate a unique class field with every order in /C which is called 
rinff class field [Coh78, PS93]. If the order is maximal, i.e. ring of integers O/c, then the 
ring class field will be Hilbert cla.ss field, a maximal unramified abelian extension of /C. In 
case of non maximal order, the class field will be be ramified abelian extension of K, such 
that any Ojc-hitegral may ramify in the concenuHl ring class field but all O-integral will be 
unrarnified. 

Let the ring class field be given l)y Tlum tlu' following map will be an isomorphism 
(Please see Appendix C) [OnoOO, Coh78, PS9.3, PS92]. 

E : Gal(?^o//C) —4 C£{0) 

Hence, the action of Gal('Ho//C) on £££{0) can be ideni.ificHl by action of C£(0) on £££{0). 
The next proposition shows that the action of C£{0) on £££{0) is simi)ly transitive [Sil94, 
Shi71]. 

Proposition 2.3 (a) Let A be a lattice unth E,\ G £££{0), and n and b be two non zero 

fractional ideals of 1C. Then 

1. ah is a lattice in C, 

2. the elliptic curve E„a sati.'^fies End(E„A) = O, 

3. EaA = ii'bA W S = i’ Wi C£{0). 

Hence, this is a well defined action of C£{0) on £££{0) determined by 


Cl* Ea — Ea-iA 


(b) The action ofC£{0) on £££{0), described in (a) is simply transitive. In particular 

4C£{0) = §£££{0) 
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In view of this proposition, we can see that action of Gal(?^o/^) on £CC{0), if looked as 
an action of CC{0) on £CC{0), would take to for fractional ideal a from the ideal 

class corresponding' to c.oncenuHl element of CJal(?^t)//c;). Ilc'iice, this action takes an elliptic 
isomorphism class to its conjugate isomorphism class. Since action of Gal(?^o/^) on E\ 
can also be looked as action on coefficients of ellii)tic curves ecination, we can deduce that 
coefficients of elliptic curve ecpiation, which arci modular forms of weight 4 and 6, should 
lie in ring class field 'Ho- This deduction aris(\s from the fact that action of Gal(?fc>//C) on 
any element of 'Ho will take that element to its conjugate [Ono90, Coh78, Fra95, PS92]. We 
present the above discussion in the next proposition. 

Proposition 2.4 Let JC/Q be a quadratic imaginary field. Then there exists an isomorphism 

T- Gal(HolK) CE[0) 

uniquely characterized by the condition 

= T{a) * E for all a G aa.l{Ho/IC) and all E G £CC{0) 
or equivalently ULCy = j{E{(7) * ]<J). 

Recalling, the definition of field of definitio7i, we can say that for all elliptic curves with 
complex multiplication by O, the ring class field (not the field of modulii Q(j(E)) will be 
the field of definition. The next theorem, which was earlier referred as main result, tells us 
about the association between j-invariants and Ho [Shi71, BCh''‘C6, Sil94]. 

Theorem 2.5 Let E be a,n elliptic curve representing a,n isomorphmn class in £CC{0). 

(a) j(E) is an algebraic integer and K(j(E)) is the ring class field Ho of tC. 

(b) [Q(j(E)):Q] = [K:(j(E)):}C] = hjc 7uhere Iik = fiCC[0) = ifGafiHolK) 

(c) Let El . . -Eh^ be a complete set of representatives for £CC{0), then j{Ei ) .. . fiEh^} 

is a complete set of Gal(Ho/El) conjugates of j(E). 

From this theorem, we can deduce that field of modulii Q{j{E)) for all the elliptic curves, 
having complex multiplication by O, is a sublicld of }C{j{E}) and [^(j(E)):Q( j (E))] = 2. 
The next section explains the reduction map for obtaining elliptic curves over finite field 
GF{q). 

2.4 Elliptic Curve Reduction Maps 

In Section 2.3, we discusswl the relationship between imaginary (luadratic field and elliptic 
curves with the notion of comificx multiplication and ring class field. In this section, we see 
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how an elliptic curve (over C) can be rt'ducccl to ;i.n (’llipti(; over finite field and how the 
reduction map will affect the order (number of points on curve) of the elliptic curve [Sil94, 
LZ94]. 

If any elliptic curve is nonsingular then it is said to have good reduction [BCh'^66, PS93, 
Sil85]. Now, since any elliptic curve complex nndtiplic.ation is defined over ring class field of 
an order in a cjuadratic imaginary fi(dd /C, we will see how to obtain a finite field from ring 
class field [Oiio90]. 

Since, the degree of extension of K over Q, [/C:Q], is 2, any prime;; which splits completely 
in K will have degree 1. Let’s say it splits in prime idcials p and p' in /C. Then 

{v)k = PP' where p = Nq(p). 

Now, if ring class field associat.ed with an orck'r O in AJ is givc'u by l-Lo nnd denotes the 
maximal order in Ho, then p will split in Ouo dd.o i)rime ideals fPj, . . . , as 

(P) t/C) ~ Vi ) V'2' • • • ’ Vi;- 

Here the degree of TL over K. is / [ll('c93, 1H.82, 1\S!)2, ()no9(), Cha88]. If the class number 
of of imaginary quadratic field K, is given by //,/;; then, 

h-K = \Ho : - f!J- 

Obviously, the degree of fPi over Q will be 


hi/p = dcfjrec of p * /. 


The residue operation 0-uol'^\ will give a field (Ai)pendix C) of order 




and characteristic p. 

So now, we have obtained the finite field by residue action of fP; on Ouo- -A-S our final 
objective is to obtain elli|)tic curves over (initc' fields, ( he ell’eet of I, his (piotient operation on 
the elliptic curve, having that ring class field as field of (h'finition, will surely be of interest to 
us. Since the coefficients of elliptic curve (Kpiation are from the ring class field 'Ho, reduction 
operation will obviously give a curve over finite field obtained as discussed above. 

The next theorem is very important as it tells us about the effect of reduction map on 
elliptic curves [LZ94, Sil85]. 

Theorem 2.6 (a) Let E/C he an elliptic r.mvr. with eoniplex niuUiplication. Its j -invariant 

is an algebraic integer. 
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(b) E/C has good reduction iff its j -invariant is an nlgchrnic. integer. 

(c) The endomorphism ring of E/C is stable, under the reductum ma.p E E by (as 
given above)i.e. End(E)= End(E). 

For the integarality of j, [Sil94] contains various proofs. In fact, Q(j(E)) is the splitting field 
of j(E), i.e. the polynomial 

^eOnimj{r:))/Q) 

has coefficients in Z, and completely si)lits in (Q(;/(E)). A civic'Cnl study reveals that /C(J(E)) 
will be splitting field of this polynomial over 1C. Hence we can see that Theorem 2.6 allows 
us to apply the reduction map [Ono90]. 

So, now we have obtained an elliptic curve over finite field GF{q) of q = elements. 
The next important thing to Ire discussed is tln^ ordcu' of the elliptic curve defined over finite 
field. Obviously the order, written as 4I^E{GF{q)), will be finite as the curve is defined over 
a finite field GF{q). Since the order of elliptic curve over C was infinite, we will now see how 
the reduction map defined above helps in determining order of elliptic curve over finite field. 
For this we need to introduces the Frolxuiius map [FuKiO, SilBfi] for algebraic curves, which 
drags us into algebraic geometry [Ful69, Sil85, Abh9(), WalG2, Mor93]. 

Let C/GF{q) a smooth (non singular) curve , then tlie ma,p r/; is called q^’^^ power Frobe- 
nius morphism if 


(jy.C 

This map is purely separable and dcg{4)) = q [Abh9l), FulG9, Sil85]. 

Proposition 2.5 Let (j) G End{E). Then 

Tr{(j)e) = 1 + dcg{(l>) - drg{l — f) 

Here, (j)f is 2 x 2 matrix, a map for 'laAi modiih^ ov('r ('-odir [SilBG, FS9.3] integers and Tr is 
a trace function over this matrix. Hy tin; abuse of notaliou, wc. writ(i the above equation as 

Tr{(t>) = 1 + deg[f)) - d.eg{l - (p), 

because it simplifies the ecpiation and avoids the lUM’d of studying the Tate module theory 
which, again, in itself is very vast [Shi7l, Sil94]. 

Now, we can easily see that for a point V{x,y) € E/GF{q) 
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because in field GF{q) x’’ = x. Hence 

(1 — (f))['P) = O (C> is point at infinity) 

E/aFiq) = - </>) 

and #E(GF((/)) = #Ker{l - (j)) (2.1) 

similarly #E(GF(g”) ) = #A'e 7 -(l - <//'). (2.2) 

Here,(l — (/>) is a purely separable map [Sil85] and for a i)urely sei)arable map ‘ip{= 1 — (f>) 

4t^Kc.r{\ — (j)) = dry {I — </;) 

Combining this with E(iuation 2.1, we eotic.huh' 

#E(GF(g)) = #A>r(l-</)) 

= - (l>) 

1 I drfi((l>) 'rr{(/>). 

The next theorem gives us the final result [LZ94, Sil94]. 

Theorem 2.7 Let GF{q) be. a qv.(idratir im<i.yiv,ary Jic.ld, ‘Ho the. ring r.lass field of K, and 
E/Ho an elliptic curve with complex multiplication by a.n order O in K.. Let Up € Gal{Ho/lC) 
be the Frobenius element associated to a prime ideal p of O, and let fPi be a prime ideals of 
Ho lying above p. Ifp has degree 1 and E has good reduction, then there exist an isogeny 

(f):E —¥ E^^ 


whose reduction modulo iPj 

is the q^’’' power Frobenius map. Moreover, there exists a unique tt = TTp 6 C? such that 

E ^ !■ E 

p-f = ttO and 

E i'" > e 

P'robttnius 7nap 

is commutative. Here, f is the degree of^\ above p. 

Here, an important thing to notice is that we have identified an clement in O correspond- 
ing to Frobenius map a*ssociated with iPi in Ho- hi hu f, fh(^ Frobenius map for ip, is Nq(p) 
and TT is power of the norm of iPi relative to 1C [Ono9(), Hec93, PS92, 1R82]. In other 
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words, is a principal ideal and tt is an nnifonnizer ('leiiK'nf, such that = ttO. This leads 
us to a very important observation about the degree, /', of over p. The degree / is the 
minimal integer such that p-f becomes principal id(;al. Wci will see the implications of this 
observation later when we discuss the imphmKmtal.ion aspcict.s of tlu^ theory, discussed in this 
chapter, for constructing ellii)tic curves following ce.rl.ain constraints for security. 

Combining the previous results, we can say that t.ln're ('xisl.s a uni(ine element tt = tt, € O 
(upto multiplication by an iinit in O) such l.hat 

q = deg{(/}) = ;/ = N5,(7r) 

and 


#E(GF(g)) = i + ,/,^(0)-7V(</,) 

= H-Ng(7r)-rr(7r) 

= N§(l-7r) 

From these two ecpiations (referred as norm ('((nations), w(( can compute the order of the 
elliptic curve i^E{GF{q)) and the finite {i((ld GF{q) owx which the reduced curve is defined. 
It should be noted that for a given q, i.e. the field, there will be more than one value for order 
of elliptic curves having comi)lex mnltii)lication with sann^ ordcu- in an imaginary quadratic 
field and they will be equal to number of units in ordc'r O. Hence this leads us to a very 
important result about the isomorphism of elliptic curve's ovt'r finite fields. 

Theorem 2.8 Two elliptic curves Ei(GF{q)) and E 2 (GF{q)) are isomorphic if and only if 
their order and j -invariant both are same. 

Obviously, the modulo fPi map will reduce the Weierstrass elliptic curve equation 

E(C) ; if = + a.x + b, where, a, b £C 


to 

E{GF{q)) : if = + ax + b where, a, b E GF{q) 

The two norm equations, obtained above, will })rov(^ to be very important in constructing 
elliptic curves with predefin('.d order because if we si)(Mdfy the finite field GF{q) and an 
integer for order of the curve to be constructed then th('. solution of these equations in an 
appropriate imaginary quadratic field guarantees the existence of a curve over GF{q) with 
ord(ir #E(GjP(( 7)). In Chajiter 4, we will discu.ss the im])l('m('ntation aspects of this result 
to construct elliptic curves which will be useful for cry{)tography. 

Now, we focus upon elliptic curves over finite^ fi('ld wliich will Ix^ of interest to us from 
the point of designing a public key cryptosystem. 
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2.5 Elliptic Curves over Finite Fields 


So far, our study of elliptic curves has been limited to complex analysis, algebraic number 
theory and modular forms. None of tlu^sci gives a rc'asoii for wiiy VVenerstrass elliptic equation 
is called an elliptic curve. Now we will study the Wcnc'isl.rass elliptic erpiation as a curve in 
algebraic geometry. Please hco. Apfxaidix D for introductory overview of some of the basic 
concepts of algebraic geometry which will be required in the sequel. 

From algebraic geometric viewi)oint, elliptic curv('S are algebraic varieties of genus one 
and are given by the general form of Weierstrass (dliptic e(|uation (jv('.r any field K. 

f ■■'i/ + axxy + axy = + n 2 X^ + + a,;, / or a, € K. (2.3) 

Here, K is a finite or algebraically closed field. The corresponding equation in projective 
space can be obtained by substituting x = XjZ and y = YfZ 

E : + ai AA + a^YZ'^ = A'* + a^X'^Z + a.^XZ^ + for at e K. (2.4) 

This homogeneous equation in i)rojective pbuie is importaiii, as it also helps in defining an 
extra point on elliptic curve which is not visible in aflinc^ i)lane. This point is called ’’point 
at infinity” and is the only point with 0 Z-coordinat(!, namely (0,1,0). The set of all the 
points in affine plane along with this special point is caJh'd elliptic curve. 

Since, in this section our major concern is with elliptic cnrv(^s ovx'.r GF{q), we will consider 
K to be GF{q). Since any cubic curve can have at the most (3 — 1)(3 — 2)/2 = 1 double 
point (See Appendix D), the genius 1 of ellijitic curves imiilies that they are non-singular. 
Hence, any Weierstrass equation should be such that Of /0X,df fdY and Of fdZ are not 
zero simultaneously at any point on the curve. An (Hiuivalent definition of non-singularity 
of an elliptic curve is given by its discriminant. .Any Weierstarss equation with non zero 
discriminant will be non-singular. Let us first dedine various parameters for Weierstrass 
elliptic equation given above. 

C4 = (oj 4a2)^ - 24(2(14 -1- nifi:}), 

Cfi = (u^ -f 4(12)'^ -f- 3G((/-^ T 4(i,2)(2n4 T (i-i (/.;)) — 21G((i3 -I- 4(i3), 

A = (c4 - c2)/1728, (2.5) 

j{E) = I 728 C 4 VA. (2.6) 

Two elliptic curves are said to be isomorphic if they are isomorphic as projective vari- 
eties. As we know from the earlier discussion that two elliptic curves over a finite field are 
isomorphic if their j-invariants and orders are eciual. Ihuic.e, isomorphism of projective vari- 
eties of two elliptic curves can be exjiresscd in terms their j-invariant and order ^E{GF{q)). 
Equivalently, any birationally equivalent transformation of Weierstarss equation will give 
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another isomorphic elliptic curve. Obviously, y-invariaiit and order of the elliptic curve will 
be invariant under such birational transformation. The following result relates the notion 
of isomorphism of elliptic curves to the coefficients of W('i(!rstrass (Kinations that defines the 
curves [Sil85, Men93b]. 

Theorem 2.9 Two (tllipUc. ciitvc.h E\ (Gh\(i)) and h' 2 {Cl''((j)) fjivc.n by equations 

El : + a^xy + o.-jy = x^ + a-zx^ + u.i.r + nc, 

Ez :y'^ + oTxy + oiy = x^ + + TT^x + cii, 

are isomorphic over GF{q)iff there exists a birational transfo'nnatian (i.e. change of vari- 
ables) 

(x, y) — )■ (u^x + r, u^y + v^sx + f) 
which transforms equation E] to equation Ez- 

Using this theorem, it is possible to transform the Whicustrass elliptic curve equation to 
a considerably simpler form. It can be easily shown that 

1. if char{GF{q)) 7^ 2 then Weierstrass equation can be transformed by change of variable 
(x, y) — y (x,y — ^x — into another isomorphic form E' : 7/ = x^ + bzx^ -y-biX + be, 

2. if char{GF{q)) 7^ 2, 3 then Weierstrass etiuation can further be transformed by change 
of variables (.x, y) — > (x,y — ^x — into anol.lnu' isomor])hic form E" : y^ = x^ + 
ax + b, 

3. if char(GF{q)) — 2 then there will be two cases 

(a) ifj{E) 7^ 0 then Weierstrass equation can be reduced to E' : y^+xy = x^+ax'^+b, 

(b) if j {E) = 0 then E' : y'^ ay = x^ + bx + c. 

Having seen the isomorphic transformations, now we discuss the group structure of the 
set of all points of an elliptic curve over a finite field GF{q). 

2.6 Group Law 

The set of all the solutions of Weierstrass elliptic curve eejuation (and also the isomorphic 
reduced forms) takes a structure of an alxdian group in a natural way. Though the structure 
of the group is unicpie but there are sc'.veral ways to defiin^ il . As w(i saw in S<iction 2.1, that 
the set of solutions of Weierstrass equation over C is isomorphic to complex lie group C/A, 
it can be Shown that reduction map reduces this group to a group of finite torsion points. 
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From algebraic geometric point of view, elliptic curves are clescnibed as an abelian variety of 
genus one. The Picard group [Sil85](also see Appendix D) of any smooth algebraic curve (an 
algebraic variety of dimension 1) is given l)y set of (rcinivahaie.e classes of 0 degree divisors 
under modulo action of set principal divisors. In this section we wall see that, in case of 
elliptic curves, each element of Picard grouj) (i.e. a divisor of degree 0) can be represented 
by a point on curve. Hence, by defining a binary law for points on elliptic curve analogous 
to that for picard group, the elliptic curve variety can be given a group structure. Here, we 
define the binary law in a rather different and sini])l('i- manner. 

Let E be elliptic curve group over a finite fi(dd GF{q){nnt necessarily) together with the 
point at infinity O as defined above. Sinc.e Weic'.rsI.rass ('ciuation has degree 3, any line in 
affine plane will intersect the curve at exactly three points, say P, Q,Ti. Note if the line 
is tangent then V, Q, 71 may not be distinct. In such a case, point considered with proper 
multiplicities will give count 3. Now, we define the coini)osition law, © referred as addition, 
by l.he following rule. 

Composition Law: Let V, Q gE, L the line connecting 'P and Q (tangent if P = Q), and 
71 the third point of intersection of L with E. Let 1/ be tlie line connecting 71 and O. Then 
■p © Q is the point such that L' intersects E at P, 0, and V © Q. 



Figure 2.1: Elliptic Curve over R 

This composition law can easily be verified to hold all the axioms reciuired for an abelian 
group. 

Proposition 2.6 1. If a line intersects E at (not necessarily distinct) points V,Q,7Z, 

then (P © Q) © P. = C. 
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2. V®0 = V for all V eE. 


3. V@Q= Q®V for all V,QeE. 


Let V €E. There is a, point of E, denoted by Q'P , suck that V ® (©P) = O. 


5. Let P, Q, P gE. then (P 0 Q) 0 P = P 0 (Q 0 P). 

Proof of all, except the (5) (associativity), is quite iniinecliate. For (5), [Cha88] contains 
an interesting proof based on Bc^zout’s theorem. 

Hence we see that the addition of two points on an elliptic curve is the inverse of the 
point at which the line passing through those two points cuts the elliptic curve. Now we 
will derive explicit expressions for the addition of two points to obtain the coordinates 
of the third point. Let P, Q, P gE and O be the i)oint at infinity (0,1,0). Moreover, 
P = (a;i,yi), Q = {^ 2 ,y 2 ) find P = (. 7 : 3 , ?y; 5 ). The corresponding projective coordinates 
are given by P = Zi), Q = (A' 2 , 12 ,^ 2 ) nnd P = (AsiPa^-^s)- The affine point 

corresponding to a projective point is obtaiiKnl by transformation Xi = XijZi and j/j = YilZi. 
Let I : y — jhx + c be the line passing througli tli<'. points P and Q. 

Now for general form of Weierstrass equation, the slope of the line will be given by 


m = < 


?/2-.Vl 

3if+2a2.i:i+n.i-ai?;i 
2j/)+ai3:i+«.s ■ 


if Vt^Q, 
if P = Q. 


and c = 2/1 — mxi. Now by simple algebraic manipulation, the coordinates of third point 
of intersection of line I and elliptic curve can be obtained. If the P 0 Q = P, then the 
coordinates of third point will be (.2:3, —y:\). Hence 


.7:3 = in ? + dim, - 0.2 - xi - .7:2, ( 2 . 7 ) 

yz = -{m + ai)x 3 - c - 0,3. (2.8), 


From these equations, we can see that sum of two points in E can easily be computed. The 
next theorem tells us that this composition law is same as that for the Picard group [Sil85, 
TV91]. 


Theorem 2.10 Let E be an elliptic curve. 

(a) For every divisor Div^(E) there eaist a unique point P gE so that D ~ (P) — [O). 
Let 

a : Duf\E) — > E 
be the map given by this association. 
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(b) The map a is surjective. 

(c) Let DuD 2 e DiiP(E). then 

a{D,)=a{D2) iff Dy^D^. 

Thus a induces a bijection of sets 

a : Pic^ ^ E. 

If E is given by a Weierstrnss eqtuition, then the group law defined above and the group law 
induced from pic^ (E) by using o are the same. 

Please refer to [Sil85, TV91] for the proof. There is another way of defining the binary 
composition law for elliptic curves using division polynomials [Kob90, Sch85, Men93b]. 

The next theorem tells us about bound on the order of the ellijitic curve over GF{q) [Sil85]. 

Theorem 2.11 (Hasse Theorem) Let #E(GF{q))= q + I — t. Then |t| < 2y/q. 

An elliptic curve is said to be .super.migular if t is divisil)l(! by the characteristic of GF{q). 
Otherwise it is called non-supersingular. In fact, an (^llii)tic curve, is supersingular if and 
only if P = 0, g, 2g, 3g, or 4g. As discussed in Sc'ction 2.3, the endomorphism ring of a 
supersingular elliptic curve is isomorphic, to an order in (juat('.rnion algebra whereas that 
of a iion-supersingular elliptic curve is isomor[)hic to an ordcu' in an imaginary quadratic 
field. From this definition of supersingular elliptic curv(\s, it is easy to observe that the 
order of any non-supersingular elliptic curve over GF(2") will always be even as t is coprime 
to 2, the characteristic of field GF(2”). The proof of the Hasse theorem is obvious for 
non-supersingular elliptic curves from Section 2.4 as every non-supersingular elliptic curve 
satisfies the two norm equations for some proper discriminant. We will see in Chapter 4 that 
these two norm equation can be written as 

q — -f d.y^ 

#E{GF{q)) = g+l-2:r; 

whore 2x,2y €Z. From first ecpiation we see that |2.7:| < 2yg. Substituting this in the second 
equation, we get the bound given by Hasse Theorem. The Bound given in Hasse Theorem 
is valid for supersingular elliptic curves as well. For a detailed proof please refer to [Sil85]. 

From the theory of abelian groups, we know that any finite abelian group G can be 
decomposed into a direct sum of cyclic groups 

G = Zji,®, . . . , (R)Z,„ 

where ni+i|ni. We say that the group G is an abelian group of type (rri, . . . , nt) and rank s. 
The next theorem tells us about the structure of the elliptic curve group. 
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Theorem 2.12 E{GF{q)) is an abelian group of rank 1 or 2. The type of the group is 
(ni,n 2 ), i-e. E{GF{q)) = Z,,, f?)Z„._,, where a.nd furthermore n^lq — 1. 

The elliptic curve group will l)e cyclic if its rank is oiui or (xiuivalently, if 112 and q — I are 
relatively prime. 

With this we conchuh^ this (■ha|)ter. In Chapt(U' 3, we will discuss the discrete logarithm 
problem in elliptic curve group and its application in public key cryptography. 
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Chapter 3 

Elliptic Curve Discrete Logarithm 
Problem and Cryptosystems 


In Chapter 2, we began with Weierstrass elliptic function p{z) and later obtained the non- 
supersingular elliptic curve over finite field GF{q) using reduction maps. Now, we discuss the 
elliptic curve over GF{q) so as to understand their use in designing an efficient and secure 
cryptosystem as mentioned in Chapter 1. We will also introduce the Discrete Logarithm 
Problem and briefly survey various algorithms knowTi for solving it. Since, the intractability 
of discrete logarithm problem (DLP) in any linil.c; alxdia n group G is a measure of the security 
of cryptosystem defined over G, our aim will be to determine all conditions for which known 
algorithm will fail. In the first section, we give thc^ point addition formulae for elliptic curve 
in GF{p) and GE(2") which are useful from the point of view of implementation. 

3.1 Elliptic Curves over GF(2") and GF{p) 

As we have seen that the addition erf two i)oints in elliptic curve grou]) requires arithmetic 
in underlying field. From the practical point of view, finit,{' fi(dds GF{p) and GF{2'^) are of 
interest as their arithmetic is simple and more suitable for hardware and software implemen- 
tation. In this section, we will concentrate; on (dliptic curves oveu' (,hese fields only. 

The finite field GF(2'*) is more attractive for hardware implementation as its elements 
are represented by a string of n bits. Moreover, addition in this field is equivalent to XORing 
of binary bits and multiplication can be done by a logic circuit [LN94, Men93a, McE87]. We 
will discuss the efficient arithmetic related issues in Chapter 6 in detail. Here, we give the 
addition formulae for elliptic curve's over GF(2"). 

As we discussed in Chapter 2, the Weierstrass elliptic curve equation over GF(2"’) can 
be reduced to an isomorphic form. For supersingular elliptic curves the reduced equation is 
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as given below [Men93a, Meii93b, AMV93]. 

4- ay — + bx 4- c 


where a, b, e G (7F(2”) 


It can easily be shown that the j-invariant for these cnrv(^ will always be zero. We will see 
in Chapter 4 that there are only 3 and 7 isoinorphisiii classes of supersingular curves for n 
odd and even respectively. Now, we define the addition for supersingular elliptic curves. Let 
'P= {xi,X 2 ) €E; then QV= {xi,yi + a.). If Q= {x 2 ,y 2 ) €E and QV, then V®Q= (0:3, ya), 


where 


x:i = 




+ Xi 


+ :»2 


a2 




J 

Q = V 


and 

(f7T^)('C3 + a.-i) + ?yi + a Qy^V 
^ .20., 

(2^)(,T;, + ;ri) + y, + a Q = V 

Notice that addition of two points recpiire 2 multiplications and 1 inverse whereas doubling 
requires computation of 1 multiplication and inverse of a which can be precomputed. 

The reduced curve equation for non-supersingular elliptic curves is given by 


y^ -t- a:y = rr^ + ax^ + b where a, b G GF(2") 


Now, we define the addition for non-supersingular elliptic curves. Let P= (a;i,a:2) €E; then 
QV= (a:i,a:i + yi). If Q= (.^2,1/2) €E and QV then V®Q= (.2:3, ys), where 


and 



Vz = 


+ + + '2^'P 

4 + Ji Q = V 

' (frS|)(^3 + *■) + »■ + ■'= 

< 

^ x] + (.Ti + ^)a;3 + .7:3 Q = P 


In this case, the point addition requires 2 multiplications and 1 inverse and doubling requires 
3 multiplications and 1 inverse. Hence, from implementation point of view, supersingular 
curves are more efficient. However, as but we will see that there; are only limited number of 
choices for supersingular elliptic curves over GF{2"‘). 

In case of elliptic curve over GF{p) {p > 3) the reduced form is given by 


y^ = + a.'r + b 


where a,b^GF{p). 


This equation is also called short normal form of Weierstrass eepiation. The j-invariant and 
discriminant for this equation are given by 

A = -16(4a^ + 271)^) and j = -1728(4rt)VA 
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Here addition is defined as follows: 

Let V= {xi,X 2 ) gE; then QV= If Q= {x 2 ,y 2 ) €E and QV then ;p0Q= 

( 2 : 3 , f/a), where 


xs = ni^ - xi - X2, (3.1) 

y-.i = 7n{xi - X3) - yi, (3.2) 


with 



in-vi 

X2-XI ’ 

3.1:? 

27/1 ’ 




if V = Q. 


We will see in Chapter 6 that inverse computation can be avoided by using projective 
coordinate. This leads to reduction in computations needed to be carried out. 

In the next section, we explain the discrete logarithm problem in finite abelian groups 
and also in elliptic curve group. 


3.2 Discrete Logarithm Problem 

The discrete logarithm problem (DLP) in a finite multiplicative group G refers to computa- 
tion of X for two element a, b of G such that a'' = b. TIk' integer x is said to logarithm of 
b to base a. This problem is known to be very diflicult if the grouj; order is large. The in- 
tractability of this problem motivated Diffic and Heilman to introduce the concept of public 
key cryptography which exploits the difficulty of the finding discrete logarithm in a finite 
group as a security measure. Initially, Diffie and Heilman’s id('a was limited to discrete 
logarithm problem in multiplicative group of GF{p) but in 1985 it was generalized by ElGa- 
mal [E1G85] for any finite abelian group. The application of DLP in cryptography has been 
one of the reasons for increased attention towards solving this problem. Consequently, sev- 
eral algorithm and techni(iues have been proposed in tlie tf'ctuil, past for finding logarithms 
in finite abelian groups. 

Under the threat posed by the ongoing res(uirc.h in this an^a, the search for small groups 
with relatively difficult discrete logarithm problem has been of gnvit interest for cryptogra- 
phers. The elliptic curve emerges in cryptography as one of the outcome of this search. The 
discrete logarithm problem in an elliptic curve group E refers to computation of k for given 
V, Q gE such that 

k times 

Q = kV=P®V®...®V 

Here, we first briefly survey various algorithms for finding discrete logarithm in a finite 
abelian group. In each case, we will also discuss the the complexity of discrete logarithm 
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problem in elliptic curve group. An elliptic curve group can either be cyclic or type (riijUa) 
with rank 2. If elliptic curve group is not cyclic then we will concentrate on its subgroup of 
order 112 which will be cyclic.. It should be noted that for a, non cyclic ellij)tic curve of type 
( 711 , 712 ), integer 7ii divides ??, 2 . This surv(\y will also lu'lp us in finding the constraints on 
the selection of a group for cryptosystem so as to frustrate all known algorithms. We will 
discuss the public key algorithms for elliptic curve (-ryptosystems in Section 3.4 

The algorithms which are known for finding discrete logarithms in a finite abelian group 
can be categorized as follows. In the discussioji givcui ludow, the groups are assumed to be 
abelian. 

1. The algorithms which works in any arbitrary cyclic group (square root attacks). 

2. The algorithm which works in any arbitrary group but, ('xploits the subgroup structure 
(Pohlig- Heilman Method [PII78]). 

3. Index Calculus Method. 

4. MOV reduction attack for elliptic curvois. 

Now, we discuss each of these (.'ase separately. 

3.2.1 Square Root Methods 

In this section, we will discuss the algorithms in arbitrary cyclic groups. These algorithms 
are called square root method Ixu'.au.se their computational conqjlexity is of the order of 
square root of the size of the group. Unh^ss otherwis(' sixx-.ificHl, G will denote a finite abelian 
group of order vi with a as the generator element of the group. Let 7?i' = [ \/m] 

Baby-Step Giant Step Method 

This method is due to Shanks [Sch85]. Let A" = /L Hence, discrete logarithm problem refers 
to computation of x = log^ ft. This methods begin with precomputing a list of pairs (i, a*) 
for 0 < i < m' and storing it in memory. The storcxl list is sorted by second component. 
Now for each j, 0 < j < ni', comput(i and clu'c.k by ;ipi)lying binary search whether 

it equals any of a* in the stored list. If the match is found for some i and j then 

=> fj = fv’+h"' 

=> loga^ = i+jm'. 

This algorithm requires memory for storing (){in') (uitric's of table. Moreover, 0(7n') 
seardi operations are to be perfornuxl where (utch binary s<^ar(;h rexjuires O(logru') steps. 
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Hence, total number of steps involved are 0{vi' login'). Apart from this, needs to 

be computed before each of 0{m') search which recpiires two multiplications needs 
to be computed in the beginning only and rest of the terms can be computed by repeated 
multiplication). Hence, we see this algorithm reciuires storage of in! entries and 0(m'(logm^+ 
c)) steps. In case of elliptic curves, the list will consists of niultipl(« of g(;nerator point which 
further increases the storage recjuirements. In fact, ins(.('a(l of storing both the coordinates of 
a point, only the part of .x-coordinate cxm bo storcul. This reduces the storage requirements 
significantly. 

Now, if we select a finite abelian group ( any grouj), not necessarily elliptic curve group) 
such that its order is at least 10'^'’, then this algoritlim will not be good from point of view 
of actual implementation. Hence, we get a restriction on the group to be selected for cryp- 
tosystem that its order should b(^ greater than 10'’“. 

Pollard p-Method. 

In [Pol78], Pollard discusses a probabilistic algorithm which does not reciuire the precompu- 
tation of list of logarithms. By some heuristic arguments, it is sliown that this algorithm 
requires 0{m') steps. Hence, this will also fail if the order of the group is very large. Please 
refer [Men93a, Pol78] for detail. 

3.2.2 Pohlig-Hellman Method 

This method for computing discnite logarithm exploits the subgroup structure of tire group 
G. It requires factorization of m to determine various subgroups of G and then computes 
the discrete logarithm problem in each of the subgroup by using square root method. Final 
result is obtained by applying Chiiuise nunaindc^r tluiorem [1P.82]. Let 

t 

2=1 

where Pi are prime numbers and Ci are positive exponents. The algorithm begins with 
conrputation of Zi = x mod for each i. Here x — l(jg„ ft. 

Suppose that Zi = where 0 < Zij < pi. 

Let 7i be the root of unity in G, i.e. 7,- = rd"/''’ . I’hen 

pm/pi 


Hence, now we need to compute the ziq. Since ^jo is logarithm of 7?’° to the base 7i in the 




= 7 , 

= Tt-’'’ 


E)Lo 
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cyclic subgroup of order pi iu (7, it cau be computcHl using Ba.by-Ste[) Giant-Step method in 
Cl (log Pi + c)) steps and with 0{y/pl) entries. For tlie computation of za, we see that 

= it"' 

Thus we can compute zn and hence other Zij as well for all values of j. Repeating this 
procedure for each i, Zi can be computed. Once all the zi are known, the discrete logarithm 
X can be computed using Chinese remainder theorem. 

To determine the complexity of this algorithm, we sc^e that for each pi, Cj discrete loga- 
rithms need to be computed. Hence, this method reciiiin^s storage of logpi) elements 

and 0(Xa-i ei(logr?i -f y^logpi)) steps for computation of discrete logarithm. 

To make this attack infeasible, it is necessary that the m should contain a large prime 
factor. The prime factor must be greater than 30 decimal digits integer. 

3.2.3 Index Calculus Method 

This method is considered to be most powerful for comi)uting logarithms in finite abelian 
groups but it does not apply to any arbitrary abelian finite group. We will see that this 
method successfully applies over multiplicative groui) in GF{p) and GF(2"), whereas in case 
of elliptic curve group it is not yet shown to be applicable. This justifies the superiority of 
elliptic curve cryptosystems over other cryptosystem based on discrete logarithm problem in 
finite fields. A brief description of the algorithm follows [Sim91, Men93a]. 

The standard index calculus approach consists of two stages. The first is the precompu- 
tation (carried out once for a given group) of a large sul)set 5 = {71 , ... , 7„} of G with the 
property that a significantly large fraction of G can be (expressed as product of elements of 
S. The set S is called factor base. Now for computation of logarithms of the elements of 
factor base with respect to a, approximately n (=151) linear equation relating n unknowns, 
the unknowns being the reciuired logarithms, are obtained. Tlie logarithms, then, are ob- 
tained by solving by these (xiuation. k'or obtaining linear (xiual.ions, we choose an integer a 
randomly and try to express it as the product of 7,. 

= n ■ 

i=l 

In case of failure the process is repeated, otherwise we obtain 

n 

a = Yl (‘i l»gf* 7i ”') 

irz 1 
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After collecting sufficient number of such equations, we solve them for log^ 7,. This completes 
the computation of the first stage. 

Now for computing :t: = log,^ /i, wo. try to (!X[)re.ss bi tcuins of 7,; for a randomly chosen 
s. 

Q*/3=n7.''‘ 

i=l 

If we succeed in this process then 

71 

^ = log„ P = Y.^i T - ”0 

7=1 

The complexity of this method is given by 

L[7n,a,c] = 0(e.'rp((c + (9(l))(logm)"'(loglogmy"“)) 

where c is a constant and 0 < a < 1. Tlu^ complexity of this algorithm is largely dependent 
upon the problem of selecting minimal factor base which spans a large fraction of G. For 
prime field GF{p), the obvious choice of factor base is set of sufficient number of prime 
integers and for GF(2”') set of all the polynomials of (h'.grec^ less than some appropriately 
chosen integer d [Sim91]. This algorithm poses a serious threat to cryptosystems which are 
based on the discrete logarithm problem in GF{p) and GF(2"). The minimum size of the 
field for a cryptosystem to be secure under this attack is approximately 2^°°. Whereas in case 
of elliptic curve, there seems to be no proper choice for the factor base S. The most natural 
seems to be the point of small height’- in E(Q) [Sil85]. But there are few points of small 
height and it is very difficult to find them. Even if such a set is found, finding a practical 
method for lifting any point in E(GF(7)) to a j)oint in E(Q) is not known [Men93b, Sil85]. 

Now we discuss the MOV (Mcnezes,Okamato,Vanston('.) [Mcn93a, Men93b] attack which 
specifically works on elliptic curves only. 

3.2.4 MOV Reduction Attack 

This method reduces the discrete logarithm problem in elliptic curve group GF{q) to the 
discrete logarithm problem in a suitable finite extension GF{q'^) of GF{q) using Weil Pairing 
method [Men93a, Men93b, Sil85]. This is achieved by establishing an isomorphism between 
< -p >, the subgroup of E{GF{q)) generated by V, and the subgroup of same order of a 
suitable finite extension GF{q). Hence for this attack to be applicable, the multiplicative 
group of extension field GF{q^) must be divisible l)y ^E{GF{q)) (=711). That means 

q^ = 1 77iod rn. (3-3) 

1 height function on any point on elliptic curve is the (lis(;rete logarithm of x-coorclinate. In a way, it also 
means the numbers of decimal digits or bits in x-coorrlinatc; 
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Let us first define Weil pairing [Sil85, Men93a, Men93b]. Let I be a positive integer relatively 
prime to q. Then the Weil i);uiiiig e, is a fiinetioii 

ei : E[l] X E[l] GF{q'^) 

where E[l] is subgroup of elliptic curve group of order 1. 

Now we give some of the important properties of the Weil pairing function ej. 

1. Identity: For all V gE[/], ci{V,V)= 1. 

2. Alteration: For all V, Q GE[i], c-iiV, Q)= C|!(Q,P)“’. 

3. Bilinearity: For allV, Q,'R eE[l] 

ci{V Q Q,TZ) = r i{V ^R)ci{Q, TZ) 
arid eii'PjQ^Ti) = ciiE, Q)ei{V,7Z) 

4. If E[/] CE{GF{q)), then et{V, Q) eGF{q) for all V, Q €E[Z]. 

The Weil pairing function can be obtained in t(u nis of function of principal divisors [Sil85, 
Men93a, Men93b] of V and Q. Please see [Men93a, Men93b] for further details. 

Let us assume that E[l] CE{GF{q)) and also for finite extension GF{q^) of GF{q) 
E[Z] CE{GF{q’^)). Next theorem defines the reciuired isomorphism. 

Theorem 3.1 Let f :< V > — )■ fii be defined by f : TZ i — > cfiTZ, Q). Then f is a group 
isomorphism. Here V, Q,TZ €:E[l] and m € GF{q^). 

Now, let V he a point in E(GF'(g)) of order I such that gcd{q, 1) = 1 and 7Z 6< V >. Then 
consider the following algorithm for the computation of s such that 7Z= sV. 

Procedure ECDLP(iP, Q,TZ,l,GF{q)) 

1. Begin. 

2. Find the smallest extension degree k such that E[/] CE{GF{q'^)). 

3. Find Q 6E[/] such that a — efiV, Q) and rv^ = 1. 

4. Compute fi = cfiTZ, Q). 

5. Compute s, the discrete logarithm of 0 to the base rv in GF{q’^). 

6. End. 
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The correctness of the algorithm is immediate as 

P = e,.{n,Q) 

= ei{sV, Q) 

= ('liV, QY (BiliiK^arity) 

= (V'' 

This algorithm requires the minimum field extension in which E[/] can be embedded. If 
k is large then the algorithm takes long time in finding discrete logarithm as the size of 
extension field becomes very large. Since there are few i.s()mor])hism classes of supersingular 
elliptic curves (see Chapter 4) and for each cla.ss the order of the curve is known, the extension 
degree can easily be found. It is found that the maximum extension degree for minimal 
suitable extension of working field is 4 and 6 for GF[T) and GF{p) respectively [Men93a, 
Men93b]. Hence this method is very efficient for supcusingular elliptic curves. 

In case of non-supersingular elliptic curves there are i)kuity of choices for the order of 
the curve over a given finite field. Hence, the elliptic, curve can be so selected that MOV 
attack becomes infeasible. If the order of the curve is not relatively prime to characteristic 
of field then Equation 3.3 will not hold for any value of k. If an elliptic curve is defined 
over GF{p) such that its order is p then MOV attack will not be applicable over this elliptic 
curve. Hence such curves will be of great interest in cryptograph}'-. In Chapter 7, we will 
give examples of such curves. 

The order of rion-supersingular elliptic curves over GF(2") is always even and hence is 
not relatively prime to the characteristic, of the field GF(2”). But in this case the above 
algorithm can be applied with a minor modification. In [MiyOl], hliyaji discusses a variation 
of the above algorithm to reduc.(! the discrete logarithm problem in F(GF(2’‘)) to discrete 
logarithm problem in some suitable extension of GF{2”). 

Let #F(GF(2"))= rn = c*q and V, 77 6F(GF(2”)) such that 77 =sV. Here c is the even 
factor of the order of the curve and q is the prime. Further assume V' —cP and 77' =c77. 
Notice that 77' will lie in < F'> because 77 e < F >. Since the order of < F'> is q, the 
MOV reduction algorithm can be api)lied to find an integer .s' such that 77'= s'V. The point 
77-s'F will definitely belong to < qV> because 'R'-s’'P’= c(77-s'F) is point at infinity. 
Now we compute s'V and find an integer s" such that R—s''P= s"{qV). Since the order of 
< qV> is c, integer ,s" can easily be computed. Once .s' and .s" arc^ known, the integer s can 
be computed easily by setting s = s' + s"q 7twd m. This discussion completes the proof of 
the following. 

Theorem 3.2 For any elliptic curve E(GF{2'')) and any pomt Fg E(GF{2"')), we can 
reduce the discrete logarithm problem in elliptic curve group to another elliptic curve group 
whose order is either equal or less than the original group. 
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In the next section we suininarize the preceding discussion with restriction on the selection 
of elliptic curves such that all of above algorithms fail. 

3.3 Restrictions on Selection of Elliptic Curve 

As we discussed in the previous section, the order of the elliptic curve group must be greater 
than a 30 digit decimal number to make the square root attacks infeasible. Moreover, if the 
order of the curve contains a large prime factor then the Pohlig-Hellman attack will be no 
better than square root attacks. Hence, from the point of view of security, the elliptic curve 
should be selected such that its order contains a prime factor greater than 30 digit decimal 
number. 

The index calculus is considered to be impractical over elliptic curve group but surely 
is a serious threat for cryptosystems based on discrete logarithm problem in GF{2'^) and 
GF{p). 

Now, we discuss the restrictions on selection of elliptic curve to make the MOV reduction 
attack infeasible [CTT94]. As we discussed in the previous section that the MOV attack is 
based on isomorphism of E{GF{q)) with a subgroup in some suitable extension field 
Let us assume that ^E{GF{q))= 7n = c*q' where c is small number (say less than 100) and 
q' is the large prime factor (greater 30 decimal digits). 

For curves over GF(p) 

Here q = P- If the extension field GF(p*’) contains a subgroui) isomorphic to i^E{GF{p)), 
then 

p'^ = 1 mod m 

Since gcd(p, rn) = 1, from Euler’s generalization of F(’rmat’s theorem we can say that k must 
be a factor of <p{m), where (/? is Euler’s totient function. First we make following definition. 

Definition 3.1 A number x is said to be B-nonsrnooth if it has no factor less than B. 

Now, if we select the prime factor q' such that {q — l)/2 is U-nonsmooth and 

p2v(c) ^ j mod. m, 

then we can be sure that the minimum extension degree for MOV attack to be applicable 
will be greater than B. Hence, by taking an appropriately large B, the MOV attack can be 
frustrated for non-supersingular elliptic curves over GF{p). 

For curves over GF{2^) 


36 



Here q = 2"'. For supersingular elliptic curves the MOV attack is very effective. There are 
7 and 3 isomorphism classes of supersingular elliptic curv(^s over GF{2^) for even and odd 
n respectively. It is known that maximum value of miiiimutn (h^gree of extension for MOV 
attack to be applicable is 4. While selecting a curve for cryptosystem, the working field 
should be so chosen that order of the curve contains a prime factor greater than 30 decimal 
digits and extension field for MOV attack is larger than OF(2^“'’). 

Since the non-supcrsingular (illiptic curves over GF{2”) always have even order, the small 
factor c of m = c* g' will be even. Hence if the base point V for E(G'F(2”)) is the generator 
of the curve then there will be no k for which q'^ = 1 mod tii will hold because q and 
m are not relatively prime. In such a case, Miyaji’s variation of MOV algorithm can be 
used. According to this variation, the discrete logarithm problem is mapped to the discrete 
logarithm problem in the subgroup of E{GF{2'‘)) which has an odd order. Let c' be odd 
part of c. If the prime factor of the order q' is such that (r/ — l)/2 is B-nonsmooth and 

g2v’(c') ^ j mod {c'q') 

then the minimum extension degree will be greater than 13. 

Hence, to ensure the security of the cryptosystem, the elliptic curve should be so selected 
that its order contains a prime factor greater than 30 digit decimal number and the extension 
degree for MOV attack to be applicable is controlled l;y a lower bound. 

3.4 Elliptic Curve Public Key Cryptosystems 

As we discussed in Chapter 2, an elliptic curve over a finite field GF{q) (over algebraically 
closed field as well) takes a group structure with a composition law which involves some arith- 
metic operations in underlying field. Let E{GF{q)) be the elliptic curve and V €^E{GF{q)). 
In this group, for any integer k the. computation of k'P refers to 

k times 

Q = kV ® . . .®V 

Now, we use an analog of ElGamal’s sc^heme over GF{q) for defining a public key cryptosys- 
tem. According to ElGainal’s scheme [E1G85] following information will be made public. 

• Working field GF\q). 

• The elliptic curve equation over GF{q). 

• i^E{GF{q)) the order of the elliptic curve. 

• Base point V which is preferably the generator of E{GF{q)). 
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• The method for obtaining a point in E((rF(f/)) (u)nc'sj)on(ling to moasage and vice 
versa. 

Now, every user will determine an integer k (<#E(GF(g))) randomly and compute kV. 
The integer k will be the private key of the user and kV will be the public key. Let ka and /cj 
be the private keys of user A and B. Hence their public keys will be given by Va=- kaV and 
'Pb— kbP respectively. The user A can communicate to B according to following protocol. 

Encryption 

• User A finds an integer k (<#E(GF(g))) randomly and computes k(Pb)- 

• User A now takes the message element m and maps it to some point A4 and computes 
C— .AA®kPb- 

• Then A computes kP- and sends to B along with C. 

Decryption 

• User B computes kb{Pa)- 

• The message is retrieved by M— C®{Qkb{Pa])- 

• The message m can be obtained by applying the inverse of the message map used in 
encryption. 

A variation of this scheme can be used for digital signature as well. 

Encryption with Digital Signature 

• User A finds an integer k (<#E(GF(( 7 ))) randomly and computes {k + ka){Pb)- 

• User A now takes the message ehnnent 7;i and nia])s it to some point A4 and computes 
C= jVt©(A; + k(i)Pb- 

• Then A computes kP and sends to B along with C. 

Decryption with Signature Verifiication 

• User B computes Pa®kP. 

• Now, B computes kbiPa^^P)- 
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• The message is retrieved by M= CelehlVa^StP)). 


• The mesSfige m can 1)0 obtahiod by a.|)plyiiig tlio invt'iso of the niossago map used in 
encryption. 

Here, we see that security ol this cryptosystem de])(!iids upon the difficulty of computing 
k from given kP and P, i.e. the discrete logarithm probh'm. 

In applications where only authentication is recpiired, Schnorr’s scheme [Sch89, Miy92] 
can be used which is as follows. 

In Schnorr’s scheme, apart from the working field GF{q), the elliptic curve coefficients, 
base point and order, a hash function is also universally accepted. Let h denote the hash 
function which maps message AdGZ to an integer less than the order of the curve. 

h : GF{q)®M — > {0, . . . , #E{GF{q))} 

Suppose user A wants to send a message A4 to user B with his or her signature. 

Signature Generation 

1. Pick a random number k (< 4I^E{GF{q))) and compute Q =kP= {rx,ry). 

2. Compute e = h{7'x, M)e {0, . . . , #£'(GF(g))}. 

3. Compute y = k — kaC {mod 1) and output the signature (e, y). 

Signature verification 

1. Compute 71 =yP+ePa= {f'xP'y) and check e = h{rx.,M.). 

Hence we see that in Schnorr’s siguatiire generation rcapiires one kP computation and 
signature verification retiuires two kP computations. Dep('nding upon the requirements and 
constraints of an application, any of the two schemes can be used. 
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Chapter 4 

Construction of Elliptic Curves 


In this chapter, we discuss implementation aspects of theory discussed in Chapter 2 to 
construct elliptic curves with an order such that all the conditions discussed in Chapter 3 are 
met. We begin with an overview of a general procedure for construction of non-supersingular 
elliptic curves over GF{q) (esp. over GF{p) and CF(2")). Finally, we present algorithms 
for construction of elliptic curves over GF{p) and G'F(2”). We also discuss construction of 
supersingular elliptic curves over GF(2") in the last section. First we review the main results 
of the previous chapter from the point of view of constructing elliptic curves with desired 
order (=#E(GF(y))). 

4.1 Overview of Construction Procedure 

From the theory discussed earlier, we know that every non-supersingular elliptic curve over 
a finite field has complex multiplication by an order O in a (piadratic imaginary field 1C and 
the two norm equations will have a solution tt in O which will be unitjue upto multiplication 
by a unit element in O. In other words, for any non-supersingular elliptic curve E{GF{q)) 
over GF{q) with order #E(GF(g)), there will exist a cpiadratic imaginary field K, such that 
endomorphism ring of E(GF(< 3 ')) will be isomorphic to an orrler in K and, moreover, there 
will be a TT G C? such that 

q = N5(7r) (4.1) 

anrf #E{GF{q)} = Nj}(l - Diir) (4.2) 

Here, q = p^, hjc = h = fg and Vi is a unit in O. The number of units in an imaginary 
quadratic field are 6,4 or 2 as the discriminant of imaginary (puulratic field is —3, —4 or less 
than -4 {Hec93, Ros94, IR82, Cha88]. Now onward, we will write class number as h. 

Equivalently, if we specify q and i^E{GF{q)) and try to search for a quadratic imaginary 
field K. such that the two norm equations have a solution in JC, then we can be sure of 
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existence of an elliptic curve over GF{q) such that it will have order as vSelected and its 
endomorphism ring will be isomorphic to an order in /C. But this information is not sufficient 
because for the construction of Weierstrass elliptic curve ecjuation over finite field we need 
to know the j-invariant of the elliptic curve as w('ll. For the computation of ^-invariant, 
recall that the ring class field of quadratic imaginary fi('ld Tio will be the splitting field (over 
of j-invariants of isomorphic classes of elliptiic (uu vc’s having complex multiplication by 
O [BCh'^66, Sil94, Shi71]. If we can compute the j-invariant for each isomorphism class, 
then Ho will be the splitting field (over 1C) of 

fix) = i[{x-j{E^^)) 

2=1 

This polynomial is referred as class equation (also as Weber’s polynomial [Web02, LZ94, 
AM93]). Since, j(E) is an algebraic integer, /(.x) will have co('fficients in Z. Hence, splitting 
field of this polynomial over Q will be field of modulii Q(j(E)). 

If a rational prime p splits in 1C into prime idcads p and p' and, further, p splits in Ho 
in g prime ideals fPj of relative degre(^ / (with rc'spect to p) [OnoOO], then /; will split in g 
prime ideals of relative dc^gree / (with respect top) in Q(i(E)). Hence, the polynomial f{x) 
will split into g polynomials of degree / when reducc'd modulo p, i.e. 

f{x) = (pi{x), ^ 2 (-'r), . . . , (pg{x) mod p 

where degree of <fi{x) = / for 1 < i < g. Clearly, each g:>i{x) will completely split in GF{q) 
(= = OQ(j{E))/p) [Ono90, IR82] and hence, we will get the j-invariant for the elliptic 

curve E(GF(g)). 

Now, we come to the computa,ti()n of j-invariant for isomorphic classes of elliptic curves 
with complex multiplication by O. As discussed earlicu', ther(^ exists a one-to-one relationship 
between each ideal class of class group of O and isomorphism classes of elliptic curves. 
Hence, the problem of computation of j-invariant of an isomorphism class of elliptic curves 
is ecjuivalent to computation of j-invariant of an ideal class o^ CC{0). Further, since each of 
the ideal class in O can be identified by a unupu^ primitive r(Kluccd binary quadratic form 
with the discriminant same as that of O (see Airpcndix B), we need to look into the the 
relationship of CC{0) with set of primitive reduced binary (juadratic forms [Ros94, IR82, 
Cha88, Hec93]. This relationship is very important for the other computational aspect as 
well, i.e. computation of class number of O [Ros94]. We will now concentrate on various 
computational aspects and will come b}u:k to problem of computing j-invariant later. 

In the next section, we discuss the first step of curve construction procedure, i.e. solving 
norm equations, in detail. 
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4.2 Solving The Norm Equations 

Solvability of the two noiin equations 4.1 and 4.2 ensures (ixistenee of an elliptic curve over 
GF{q) with Older ^E(GF'((y)). Ihe norm equation 4.1 spcnuhes the finite field over which the 
constructed elliptic curve will be defined and Equation 4.2 specifies the order of the elliptic 
curve ^Ei{GF{q)). Solution of the norm equations determines an imaginary quadratic field 
K such that an order in /C will be isomorphic to endomorphism ring of elliptic curve with 
order #E{GF{q)). 

Since our aim is to construct elliptic curves over finite fields with specified orders following 
the constraints discussed in Chapter 3, we would like to specify q for GF{q) and the order of 
the curve ifE{GF[q)) and seai'ch for a discriminant such that the two norm equations will 
have proper solution. In other words, we need to search a discriminant d such that there 
exists a TT = x + Vd.y {2x^ 2y gZ) in an order O (of discriminant d.) of an imaginary quadratic 
field 1C square free part oj d) with norru of ir = 4 - dy^ = q and norm of (1 — tt) = 
(1 — x)^ + dy^ = m =ifE{GF{q)). This argument leads us to following theorem. 

Theorem 4.1 There exists hftf — 4p) isomorphism classes of non- supersingular elliptic 
curves over GF{p) with order #E (GF{p))= p 1 - t. Here h{d) denotes the class number 
of discriminant d. 

Here it should be noticed that dy"^ = (g + 1 — rn)^ — 4g, and hence d will be a factor of right 
hand side of this equation. In fact, d can be taken as the square free part of the number 
on right hand side. In such a case, the conductor [Sil94, PS92, Coh78] of order O with 
discriminant d will be 1. Hence it will be maximal order Oic in K{\/d) and corresponding 
ring class field will actually be Hilbert Class Field, i.e maximal unramified abelian extension 
of K'.{\/d) [PS92, Coh78](also see Appendix C). But here the jnoblem is that the class number 
of this discriminant may be very large which in turn will moan that to obtain j-invariant 
a polynomial of a very large degree, will have to be factored. One way to overcome this 
problem is that we first determine the discriminant as R(iuare free part (g + 1 — m)^ — 4g and 
then check if it has small class number (using algorithm pb(iLcln(d) given in Section 4.3). If 
the class number is small then selecd, it otherwises try again with difhsrent g or m or both. In 
fact, if instead of giving both the parameters g and i^E{GF{q)), if we give any one of them, 
i.e. either finite field GF{q) or #E(GF(g)), then it is very easy to find a discriminant in a 
short time such that a tt is obtained in O for the eciuation with the given parameter and the 
norm of (1 — UjTr) is an integer satisfying all the re(iuir('m('nts for the second parameter. 

To justify this claim, let us recall the Basse’s theorem which says that order of an elliptic 
curve over GF{q) is bounded by g + 1 - 2,/q < #E(G'F(g)) < g + 1 + 2s/q. Hence, if g 
is large enough then there will be many choices for the' #E(GF(g)) which will meet all the 
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required restrictions. In other words, probability of finding a discriminant will be very high. 
Likewise, for a given order, there will be many choices for q. 

Hence, for construction of elliptic curves over prime field GF{p), we will specify the order 
which satisfies all the restrictions for security and try to sc!aich for a discriminant such that 
second norm equation has a solution for which first norm eciuation gives a prime. This prime 
will define the working field. In case of curve construction over GF(2"), the field parameter 
is known. We will search for a solution of first norm equation such that second norm equation 
gives an integer satisfying all tlu^ restrictions for tlui orthu- of (elliptic curve as discussed in 
Chapter 3. In the sequel, we will see some constraints over the discriminants to be tested for 
solvability of norm equations which will help in formulating a procedure for efficient search 
of a proper discriminant. Now we discuss two cases , construction of elliptic over prime field 
GF{p) and over GF{2^), separately in detail. 

For curves over prime field GF{p) 

For construction of curves over GF{p), we specify the order in the form #E(GF(p))= m = 
c* f/, where c is a small number (to .say, l(\ss tluui 100) and (j is a large prime such that q — 1 
has no factor less than an integer B. Here B is a lowcu' bound on the minimum degree of 
extension for MOV attack to be applicable. For security purposes, the size of q should be at 
least 40 decimal digits and B should be at least 10. Now, for m, to be norm in some quadratic 
field K, each of prime factors of m must split in principal ideals in prime ideals in /C. Now, let 
us discuss the Cornacchia’s algorithm [AM93] for solving the norm equation. This algorithm 
works for m which splits in principal ideals in JC. As discussed above, problem of solving 
norm equation is equivalent to finding x, y such that for a negative discriminant d, 

4m = x^ — dy^. 

Since discriminant d can either be 0 or 1 mod 4 [R.os94, PS92, Cha88], this equation can be 
modified in different cases as given below. If d = 0 mod, 4 then on putting d = — 4D, we get 

m = x'^ + Dy'^ 

If d = 1 mod 8 then x and y will be even integers, hence putting d = -D, we get 

m = .r"" + Dy"^ 

We shall see the last case d = 5 mod 8 after the algorithm. 

Procedure Cornacchia(D,m) 

( ** solution of m = ** ) 


1. Begin 



2. Find Xq such that Xq — ~D mod m and it also satisfies m > xq > m/2. 

3. Develop m/xQ as continued fraction 

m = ) 

a-’o = qixi+ X2 

+ ■^■ 7’+2 

and stop when xl <m < xl_i. 

4 . Set X = Xj. and y = 

5. If 2 / is not an integer, rn is not representable as x!^ + Dij^. 

6. end. 

In case of d = 5 mod 8, same algorithm is used with xq as a solution of x‘^-\-x-‘r\J^^ mod m. 

Hence, this algorithm finds the representation of ?/i = x^+Dy'^ whenever one exists. Once 
a solution is obtained, i.e. 1 — u^Tr, we compute norm of ?;,;7r for all the units. If the norm 
value is prime number and ^ 1 mod m as discussed in Chapter 3, then we select this 
discriminant as proper otherwise we go for another. From Hasse’s Theorem, we can easily 
deduce that size of the field prime will be almost same as that of order #E(GF(p)). We will 
search the discriminant in increasing order of their class number because for obtaining the 
j-invariants a polynomial (class equation) of degree (Hinal to class number will have to be 
factored (modulo p) . Hence to reduce the computational complexity, we prefer discriminants 
with smaller class numbers. Within the set of discriminanf.s having the same class number 
the search will be in increasing order of their magnitude. We will discuss this aspect in detail 
later in Section 4.6. 

For curves over the field (?F(2”) 


In this case, our objective is to construct elliptic curves over a given field GF(2"). We 
begin with solving Equation 4.1 for q = 2” (/ = n) and tlum search for a discriminant 
(and hence tt) such that Equation 4.2 gives an integ<u’ m,(=#E(GF(2”))) which splits in c 
(a small integer, say less than 100) and a large prime q' . Moreover, the order m should be 
such that the prime factor g' — 1 is B-nonsmooth, i.e. has no factor less than integer B, and 
^ 2 (/i(c') ^ ^ f-Qj. ^ equal to odd part of r. As discussed earlier, for security purposes, 

extension degree n of the field should be atlciist 130. Any 13 gn'ater than 10 will make MOV 
attack infeasible. 
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Now, we discuss the solvability of the first norm eqviation. As we mentioned earlier, there 
will exist a TT in some quadratic field KL{\fd) if and only if g is a norm of a principal ideal in 
IC(\/d). Let’s say 2 splits in IC{\/d) into prime ideals p and p'. That is, 

(2)^ = PP' 

Here, if p is not a principal ideal in IC{'/d), then Cornacchia algorithm will fail for m = 2. 
But if the discriminant is such that its class number is n, then p" will definitely be principal 
as p is an element of class group CC{0) which is cyclic group of order n. 

Now we can think of many variations. As we have already discussed that /C(j(E)) will 
be splitting field of a class equation f{x), which is a polynomial of degree equal to class 
number of an order with discriminant same as that obtained from the norm equations. We 
will discuss the method for the computation of class ccpiation later. This polynomial, when 
reduced mod 2, will split into g polynomials of degree f{= h/g, h is the class number). Here, 
/ will a minimum integer such that p-^ becomes a principal ideal in )C{y/d) [PS92, Ono90, 
Hec93, IR82]. Now, consider the cases given below, with the following notations: 

n = extension degree of working field (GF(2”)) over GF{2). 

m =#E(G'F(2”)) 

h = fg — class number of discriminant d for which norm equations are solvable and, 

2 splits in /C(\/d) into prime ideals p and p' 

1. n is a composite number with h as a fa,ctor : Let v, = ht. Then we will look for a 
discriminant such that it has class number h and gives a proper tt with q = 2” in 
the norm equations. Obviously, if 2 splits in p and p' in }C{'/d) then 2^ will split in 
principal ideals in lC{\fd) as 

2" = (2'‘)‘ = (p'^)'(p"‘)* 

Since p^ is princi])al ideal, p'*^=" will also be princii)al. Now, the polynomial j{x) will 
be of degree h and, when reduced modulo 2, will eitlu'r be an irreducible polynomial 
of degree h or will split into g polynomials of degree /. Since, the j-invariant for the 
curve will be a root of /(x), in this case, we will require to factor a polynomial of 
small degree over GF(2"). Hence, in this case, we can define the working field GF(2") 
(i.e. a primitive irreducible polynomial of degree ??. over GF{2)) and can factor f{x) 
for j-invariant. The factorization will not be difficult computationally as the degree of 
/(x) will be small. 

2. n is equal to h : Here, again there will be two cases 

(a) n is prime : In such a case, if 2 splits in t)rime idc'als in /C(\/d) then 2'^ will split 
in principal ideals p” and p^’b Hence, the class <'ciuation /(x) mod 2 will be an 
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is a. 2 X 2 matrix M{f) associated with each binary quadratic form f{x,y) such that 


f{x,tj) = XM{f)X 


T 


where A'" = [x, y] and M{f) = 


a b/2 
b/2 c 

If D is the determinant of the M (/) then d = —AD. 

The two binary quadratic forms with matrices A and B are said to be equivalent if there 
exists a unimodular 2x2 matrix T such that B = TAT“'. If the determinant of T is equal 
to —1 then the two forms are called improperly ecpiivalent. With this equivalence operation, 
the set of all quadratic forms with same discriminant can be divided into finite equivalence 
classes and each equivalence class will be represented by a primitive reduced from, i.e. a form 
(a,b,c) with gcd(a,b,c) equal to 1 [DavSO, IR82, R,os94, AM93]. Moreover, it is also possible 
to define a binary composition law on the equivalence classes to give a group structure to 
the set of equivalence classes. [SHL84] 

Theorem 4.2 given below, sets up an isoinoi'idiism betwecui the set of primitive reduced 
binary quadratic forms of discriminant d and a cla,.ss group CC{0) of an order O with 
discriminant d of an imaginary cpiadratic field [AM93, SHL84]. 


Theorem 4.2 For an order O in a, quadratic field (real or imaginary) with discriminant d, 
the map sending a fractional ideal [l,r] in CC{0) to a primitive reduced binary quadratic 
form (a,b,c) of discriminat d .such that r = ind.uces am isomorphism between CC{0) 

and group of equivalence cla.sses of quadratic forms C{d,) with discriminant d, i.e. tha map 


(l>:CC{0) — > C{d.) 

[t, 1] I — ^ [x, y] = [{-b + s/d) /2a, 1] 

is an isomorphism. Moreover the composition law of equivalence classes of quadratic forms 
is equivalent to multiplication of fractional ideals in CC{0). 

Since we are concerned with imaginary (luadratic li(4d.s only, now onward we will concen- 
trate over quadratic forms wit.h n(!gative discriminant. 'I’lic! following three rules determine 
the primitive reduced form of each eciuivalence class of s('t of ciuadratic forms with discrimi- 
nant d (d < 0) [AM93, R.os94]. 

1. [b] < a < c 

2. c > 0 and 0 < a < \f\d\/3 

3. (a, 6, c) ~ (o, -b, c) iff either a = c or a = |/;| 
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Obviously, the number of primitive rodueed binary ([uadraf.ie forms will be eciual to class 
number of CC{0). Hence, this method avoids the use of Dirichlet formula [Dav80, Hec93, 
Ros94, IR82] for tli(i eompiit.ation of class numlxu' of an ord('r O in any imaginary quadratic 
fields (for real quadratic field as well, but with different rules) which is computationally very 
expensive. We now pr(\s('iit an algoritliiu foi' finding all I, lit! ptimil.ivc' la^duced binary (juadratic 
forms and class number for a given discriminant d. 

Procedure pbqf_cln(d) 

( ** pbqf-cln stands for Primitive Binary Quadratic Forms and CLass Number ** ) 

1. Begin 

2. Set dassjtio := 0 and D := \d\. 

3. Set r = and h = Dmod2. 

4. while {b < r) 

(a) Set a := 1 or 0 and h = 0 or 1 nispcctively. 

(b) while (a < 4- D)/4\) 

i. if ((rn = Q7noda.) and {b < a)) 

A. Set c := 7n/a. 

B. if (gcd(a, b,c) = 1 a.nd {c = a or h = a or h = 0)) 

Set classjiio := daHSji()+ 1, Store primitive form (a,b,c). 

C. if {gcd{a, b, c) = 1 a.nd. (c 7^ a and b 7^ a and b 7^ 0)) 
else 

Set dass-no := das$jio-\- 2, Store primitive forms {a,±b,c). 

ii. Set a := a-+ 1. 

(c) Set b:=b + 2. 

5. end. 

Using this algorithm we can obtain all the primitive (juadratic forms which will represent 
an ideal class in CC{0). Hence a large part of the ideal theory can be translated into the 
language of the theory of (quadratic forms. We will hv.o in I, he lu'xt section that all the 
computation in O will be carried out in terms of corresponding primitive binary quadratic 
forms. To a large extent the theory of quadratic forms is concerned with the problem of which 
numbers can be represented by the form /(.'r,y) if :r, y run through all the pairs of integers in 
Z. This is equivalent to the problem of which numlMUS app('ar as norm of (principal) integral 
ideals in a given ideal class discussed in Section 4.2. 
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4.4 Computation of j-invariants and Class Equation 

In Section 4.2, we obtained a discriininant d such that corresponding order O will be isomor- 
phic to an endomor[)hism ring of elliptic curve {E{GF\p)) or E((7F(2”))) with a known order 
(#E:(GF(p)) or #E((7F(2”))). In this section, we begin with computation of ^'-invariants 
for various isomorphism c.hiss('s ol elliptic curve's (ove'r C) having O as endomorphism ring. 

As discussed in Seedion 2.1, each isomorphism class of ('lUptic curves is identified by a 
homothety class of a lattice A = Zt -(- Z and that the corresponding j-invariant is unique. 
Since each homothety class of lattice can be represented Iw a fractional ideal in an order O 
of an imaginary cpiadratic field, the j-invariaut for an isomorphism class of elliptic curve will 
be same as that of an ideal class in CC{0). 

Now, to obtain a,n expression for computation of j{T) for an ideal class, we define 
Dedekind’s rj function and Weber’s /,/i ,/2 functions [Web02, Sil94, AI\I93, LZ94, PS92]. 


Definition 4.1 The Dedetdvd p- function for a r lyvng in upper half of complex plane, 

is defined by the product 


j{t) = [J(l - q”), for q = e 


27Tir 


n>\ 


This function is a modular form of weight 1/2 and can be expanded as 
fir) = 

i>] 

If we let Cn stand for exi)(2i7r/7r), then the Weber’s functions are defined as 

Ur) = 


fir) 


fiij) = 


7 /( 2 / 2 ) 


Further, we define 


n[r) ’ 

AM = 

P'^{t) - IG P\t) - IG fPir) - 16 


72 (r) = 

73 (^) = 


P{r) P{r) /|(r) 

iPHr) + mffjr) - I!{r)) 

P{r) 


(4.3) 


(4.4) 

(4.5) 

(4.6) 

(4.7) 

(4.8) 


Using these functions, the modular invariant j(r) for an ideal class of O can be computed 
as 


J(t) = 7i’(0 = 7d0 + 1728. 


(4.9) 
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For further details regarding these functions, please see [Sil94, Web02, LZ94, PS92]. Using 
these functions, the j-invariants for each ideal class of CZl(O) can be computed. Obviously, 
there will be h{= ^CC{0)) such j-invariants as there are h distinct ideal classes in CC{0). 

Above discussion docs tell us a way for the computation of jf-invariants but is not suf- 
ficient from the point of actual computation over a finite precision computing machine as 
computation of ^-invariants involves floating point arithmetic and sum of a infinite series. 
For computations over a finite precision computation machine, we need to expound over its 
implementation aspects in detail. In Section 4.3, we established an isomorphism between 
CC{0) and group of binary quadratic forms with the same discriminant C{d). For a frac- 
tional ideal [r, 1] in an ideal class of CC{0), the r can be expressed in terms of coefficients 
of corresponding primitive (luadratic form (a, h, c) as 

_ ~b + \/W- — 4ac —h + \fd 
2a 2a 

But to determine the j-invariant, we require to compute the 7 ;(r) function which is an 
infinite series. Moreover, since the class equation f{x) is an irreducible polynomial over 
Q, the j-invariants will be complex number with real and imaginary part in E. Hence, for 
computational purposes we must define the floating point precision so that after rounding 
off the coefficients of / (x) are actual, i.e. same as those which will be obtained with infinite 
precision arithmetic [AM93]. By floating point precision, wo mean the number of significant 
decimal digits to be preserved in floating point arithmetic. Of course, from the computational 
point of view, it will be desirable to have mininnim floating point precision. Following 
example illustrates clearly the meaning of finite floating point precision. 

Example 

Let X = 234.32873456667 and y = 8768.785478947. 

Then, x*y^ 2054778 .404968241 . . . 

Now fox X * y to be correct to nearest integer value, it can be computed with less number 
of significant digits after decimal places in x and y. If we compute the product with x and 
y considered till 5th place after decimal( because one of them has 4 digits in integer part), 
the product will remain same to nearest integer value as 
234. 32873 * 8768. 78547 = 2054778 .3628275531. 

Whereas if x and y arc taken till third decimal place only then product will not be correct 

to nearest integer value as 

234.328 * 8768.785 = 2054771 .851 .... 

Likewise, instead of two numbers if we have n integers with at most t digits in their 
integer portion, we need to preserve each number till ,at least, [t + 1) * {n — l)th decimal 
place for their product to be accurate to nearest inb^ger value. In fact, a tighter bound can 
be obtained if we define the finite precision to be equal to sum of digits in integer part of all 
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the multiplicands. It is better to have floating point precision greater than this to avoid the 
possibility of error in rounding off. 

Let us first estimate the approximate size of magnitude of j-invariants in decimal digits. 
The following expression gives the g-expansion of j(T)(= j(EA,)) [Sil94, AM93, Apo76] 

i(^) = + 51 c(n)9", 

9 n>0 


where c(n) gZ and can be expressed in terms of Ramanujan’s r(n) [Sil94] function (Silv2). 

Here, we give first few values of c(n). 

c(0) = 744, c(l) = 196884, 

c(2) = 21493760, c(3) = 864299970 

Now, since q = on substituting r = we get 


where, d — h'^ — 4ac. 
magnitude of j (r) as 


The main term in j(r) is l/q, hence we get an approximation for 


liWI = k ^1 = e 


a 


The approximate number of decimal digits in j(r) is 

TT^i^ 


loglj('r) 


a In 10 


Now, since the constant term of class equation is product of all the j-invariants, a floating 
point precision which is appropriate for this term, will suffice for all others as they involve 
product of fewer number of j-invariants. Hence, appropriate precision for floating point 
arithmetic can be given by 




Here, /(/i) + Ch has been added to compensate for the error in computation of precision. 
The function f{h) is an increasing function of class number and Ch. is some constant. In our 
implementations, we have used f{h) = h/A and Ch = 10. Hence, we need to preserve any 
number to Prec{d) significant decimal digits in computations. Since, 77 (r) can be expressed 
as a power series of q and magnitude of <7" converges to zero with increasing value of n, we 
need to consider only first N terms for the computation of 77(7) such that terms of higher 
powers become insignificant for above defined precision. To compute iV, we define 77iv('r) as 
the sum of first N terms of 

,„(r) = + f; 



It cati easily l)e shown tli;U, 


, , , , 7rx/=77( 1-35^2) 

IviV - VN{r)\ < (jc -^> 1 - 

Taking log of both sides, we get 

log|??(r) - 77 a/ ( r) I In 10 < log 6 + 36A^) ^ 

z4a 

Now, according to precision function defined above 

io-'’"'W > hw - ,„(t)| 

=s- loghM - 7 )k(t)| < -Prec(d) 

Combining the above two equation we get, 

D 7JM in 1 ^ StTv/^N^ IX 

— Precfd) In 10 > log 6 1 

2o 24a 

=;> N > 

Hence, for the computation of 77 (r) we need to consider minimum number of terms as 
given by the above expression. Similarly, if we want to compute 7/(A:t), then 

2 (log 6 + In lOPrec(d)) 1 
“ \ 3 Txk\f-^ 24 

Here, for each value of r (and hence for isomorphism class of elliptic curves), N is to be 
computed. Once N is known, j-invariants can easily be computed using Weber’s function. 
In fact, we need not compute ^-invariants for all the isomorphism classes as the binary 
primitive forms (a, 6 , c) and (a, - 6 ,c) , where a ^ |I>| and a 7 ^ c, will represent two different 
ideal classes and in such a case j-invariant for one class c.an be computed from the other. 

j{a,-b,c) = j {a, b,c) 

Here, bar indicates the complex conjugation. Once all the j-invariants are computed, the 
class equation can easily be computed. If the used floating point precision is appropriate then 
the coefficient will be real and very close to integer value. The correct integer coefficients 
can be obtained by rounding them off to nearest integer value. 

For the construction of curves over GF( 2 ’^), we may require to select the discriminant 
which has class number equal to degree of extension n of GF( 2 ”) over GF{2). Since for 
security reasons, n should be at least 140, the precision will be very high as the summation 
is carried over all the ideas classes. Even in case of constructing curve over GF{p), the 
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discriminants may have a large class number. From the computational point of view, it is 
desirable to have floating point precision as minimum as possible. If the discriminants with 
some particular class number are ol concern, then the discriminants with minimum absolute 
value should be selected as the precision is directly proportional to the square root of it. 
This justifies the reason for searching the discriminants in ascending order of their absolute 
value. Though, a also appears in the expression for computation of precision, we can not 
put any restriction over it as nothing can be deduced about the values of a for ideal classes 
prior to search of the discriminants. 

For (further) reduction in precision required for a given discriminant, Weber’s class in- 
variant [Web02, BCh'''66, AM93, LZ94] plays an important role. Weber calls any function 
ti7(r) a class invariant if its splitting field is 'Ho- In other words, 

/w = n(i-«,(Tr‘) 

t=l 

will have integer coefficients and 'Ho will be splitting field of f{x) (like for j-invariants). In 
fact, the class invariant is a generalization of the concept of the j-invariant. For computa- 
tional purposes, we are interested in class invariants u?(r) which require low precision for 
floating point arithmetic and they are such that the j-invariants can be expressed in terms 
of them. 

Weber obtained the following class invariants with some restrictions over the discrimi- 
nants. 

• Uo{t) = i(r), if there is no restriction over the discriminants. Hence, the precision will 
be same as obtained above. Now, if the root of class equation f{x) mod 9 is a:o, then 
the j-invariant over GF{q) will be Xq- 

• If d ^ 0 mod 2, then Ui(r) = is invariant. Using equa- 

tions 4.7 and 4.9, we can express j(r) in terms of ui(r) as 

j(r) = u^(r)/d-l- 1728. 

Now, the new precision Prec'{d) can be expressed in terms of, Prec{d) as given below 

In this case, re(iuir(Kl precision is half of what was computed for j-invariants. Further, 
the ^-invariant over GF{q) will be ^ -h 1728. 

• lid ^ mod 3, then U 2 {t) — and the new precision value is 

Prec'{d) = Pr€c{d)/3. 

The j-invariant over GF{q) will be Xq. 
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For d — 1 mod 8 and d ^ 0 mod 3, Yui and Zagicr obtained another class invariant 
U 3 {r) = /*(r), where 

[ if 2|o and 2|c, 

/•(t)= (-l)¥clr-“’>V,(T) if2|aand2|c, 

1 if2;aand2|c. 


Since j{r) = y^r) = = (£l>^)3 

the new precision function is 


“ '' '' 




Prec'{d) « Prec{d)/ 48. 

and j-invariant over GF(q') is 

This class invariant is very useful for constructing elliptic curves over GF(2”) as it re- 
duces the required precision by a factor of 48. Moreover, 2 will split completely with the 
discriminant for this class invariant because d = 1 mod 8. 

So far, we have seen how to compute the class equation. Now, it remains to obtain the 
elliptic curve equation over GF{q) which we discuss in the next section. 


4.5 Computing the Curve Equation over GF{q) 

Once we have the class equation, which is a polynomial with integer coefficients, we can 
obtain the j-invariants for the isomorphism classes of elliptic curve over finite field GF{q) 
by factoring it over GF{q). 

If the constructed curve is defined over prime field GF{p), i.e. if 5 = p in the first norm 
equation, then the class equation f{x) will completely split modulo p. Let xi, 1 < i < h, be 
the roots of this polynomial. Now, the corresponding ji{GF{q)) will be as given below foy 
different class invariants used in computing class equation f{x). 

1. ji = Xi for class invariant uo(t). 

2. ji = xl/d 4- 1728 for class invariant «i(r). 

3. ji = xf for class invariant U2(r). 

4. j^ = (a;?"* — 16)®/xf'* for class invariant U 3 {t). 

For curves over GF{2'^), we select «3(r) as the class invariant. In this case, if we go for 
the options in which the class equation is an irreducible polynomial of degree n then this 
polynomial can be used for defining the field GF(2”). Hence, there will be no need to factor 
this polynomial for the computation of j-invariant, which is very difficult for large values of 
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n. If a is assumed to be its root in GF{2^) [LN94, Men93a, McE87] (i.e. f{a) = 0), then 
all (3 gGF( 2”) can be written as 

n 

= aieGF{2) 

2=0 

Now, jo invariant can be computed as 

jo{GF{2'^)) = [q3‘^ — 16)^/q;^'* 7nod /(a) 

= ct'*® mod f{a). 

Since 1), will also be roots of clsiss equation, other ji’s can be computed 

by raising o? to power 48. In case, we go for the other option in which class equation needs 
to be factored over GF(2”), the same idea will still be applicable. That is, jf-invariants will 
be obtained by raising the roots of the class equation to power 48. 

Now recall that when we solve one norm equation, then there will be more than one 
solution, as all the associates^ of any tt will give the same norm value. Whereas, when the 
same tt is put in the second norm equation, various values (equal to number of units in O ) are 
obtained for the second parameter. It means that over a given finite field there will be more 
than one choice for the order of the curve such that the endomorphism ring of all the curves 
over that field, having order same as any of those choices, will be same. Moreover, there will 
be h choices of j-invariants for a given discriminants, irrespective of what choice was taken 
as the order. Because of this, for each j-invariant there will be more than one isomorphism 
class of the elliptic curve and the number of these classes will be eciual to number of units in 
the corresponding order O. We know that for discriminants less than —4, number of units 
in order O are 2, hence for each j-invariant there will be two choices of curves. We call the 
second curve to be the twist of first [LZ94, Sil85]. The next theorem gives us the parameters 
of a curve and its twist [Sil85]. 


Theorem 4.3 1. Let the prime p > 3 for GF{p) and j-invariant ji EGF{p) be given. 

Then corresponding elliptic curve over GF{p), E and its twist E are 


where 


E:^/ 

= 

x® + arc + fe 


E:y'^ 

= 

-f ore + 6 



mid 


if ji^.Q, 1728, 

1.728 - ji 

1 

00 

CNJ 

r-H 

1 

a e GF*{p) 

and 

b = 0 

ifji = 1728, 

a = 0 

and 

b =G GF*{p) 

o' 

II 

a = ac^ 

and 

b = bc^ 

for any non-square c in GF{p) 


*Vt7r, where Vi are units in C7 
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and #E(GF{p))+#E(GF{p))= 2p+2. 

2. For ji eGF{T^), the elliptic curve E and its twist E arc 

E: 1 / + xy = .r’ + ' , 

E:%/ = x^+dx + j-^ 

where a,deGF{T') such that Tr{n.) + Tr{d) = 1 and following equalities hold 

#E(GF{T)) + #E(GF{2^)) = 2.2” + 2, 

#E(GF{T^)) = 2Tr{a) mod 4 and #E(GF(2"-)) = 2Tr{a) mod 4. 

Using this theorem, we can compute the coefficients of an elliptic curve equation and 
its twist. In case of curves over G'F(2”), we first chG(4^ whether the order of the curve 
ffEj{GF{2^)) is congruent to 2 or 0 modulo 4. If ^E((?7'’(2”))= 2 mod 4 we select a such 
that its trace is 1, otherwise we take it as 0. The order of its twist E(GF(2”)) will be 
2.2” + 2— #E(GF(2”)) and a will an element of trace 0 or 1 as trace of o, is 1 or 0 respectively. 

For curves over GF{p), we first determine a and b and then randomly find a point V on 
this curve. If i^E{GF{p))'P is point at infinity then it is the correct curve equation otherwise 
E{GF{p)) will be the correct curve equation. The coelficiouts of E((?F(p)) can be computed 
by finding any non-square c in GF{p). 

Hence, using this method we obtain 2h curves simultaneously having complex multipli- 
cation with an order in an imaginary quadratic field. In the next section, we explain the 
method for efficient search of discriminants for solving norm e(iuations. 

4.6 Dictionary of Discriminants and Class Numbers 

The search of a discriminant for solving the norm equation is very important as we can be 
sure of getting a curve only if a proper discriminant exists. Since, for a (imaginary and real) 
quadratic field, discriminants of orders can either be congruent to 1 or 0 modulo 4, only 
such negative integers should be tested for solving the norm equations. Since, as discussed 
in earlier sections, in some cases discriminants following certain conditions only will be of 
interest, let us first summarize all of those conditions for constructing curves over GF{p) 
(case a) and GF(2”) (cjise ft); 

1. (a & b) The discriminant d{< 0) should either be 0 or 1 = mod 4. 

2. (a) Discriminants with small class number are prederred because the precision required 

will be less. Moreover, the cohiputation of j-invariant (or class invariants) over 
GF{p) will be easier as the degree of class e<iuation will be small. 
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(b) Discriminants with some particular class numbers, as discussed in Section 4.2, are 
of interest. 

3. (a & b) Discriminants with small absolute value are preferred as precision required 

for floating point arithmetic is directly proportional to 

4. (a) If, for the computation of the class equation, Weber or Yui-Zagier’s class invariants 

are to be used then d should either he an odd integer (ui(r) = 
or coprime to 3 {u 2 {t) = (— qj- i = jyiQd g coprime to 
3 {uz{t) = f*{T)). If the j-invariants are used for class equation then there will 
be no restriction. 

(b) Discriminants should be congruent to 1 modulo 8 otherwise 2 will not split in two 
distinct prime ideals in K.{\/d). Since wo are interested in large fields, Yui-Zagier’s 
class invariant should be used for low value of precision. Hence, d should also be 
coprimc to 3. 

For efficient search of the discriminant we build a dictionary which contains the negative 
discriminants from —3 to some large value (say —100000), which follow the condition (1). 
The dictionary also contains class numbers for each discriminant , which is computed using 
algorithm pbqf_cln(d) described in Section 4.3. The dictionary is sorted in increasing order 
of |d|. For construction of curve over GF{p), we begin with extracting all the discriminants of 
class number 1 and test for solvability using Cornacchia’s algorithm. If proper discriminant 
is not found, then all the discriminant of class number 2 are extracted out from the dictionary 
for solving norm equations and so on. As of now, it is not known that how many discriminants 
are there for a given class number except for class number 1 for which there are 13 negative 
discriminants. Hence, an increase in size of dictionary will increase the probability of finding 
the proper discriminant quickly, though in our implementation we have found -1000000 as 
sufficient. In case of curve construction over GF{2’’), we need to extract the discriminants 
of a particular class number only which is either equal to, or divides, or is divisible by the 
extension degree n of GF(2’’) over GF{2) as discussed in Section 4.2. 

In the next section, we conclude the discussion with algorithms for construction of non- 
supersingidar elliptic curves over GF{p) and GF(2"). 

4.7 Curve Construction Algorithms 

In this section, we present the final algorithms for constructing non-supersingular elliptic 
curves over GF{p) and GF(2") based on what we have discussed so far. For construction of 
curves a dictionary containing negative discriminants and corresponding class numbers, as 
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discussed in Section 4.6, is used for efficient search of discriminants. 

Curve construction over GF{ p) 

In this case, instead of sjxicifyiug the order of tin; curve; we; Rj)e;e;ify tlio upper limit of small 
factor anel size of the prime; f'ae:tor e)f the; ()rele;r. 

Input 

• n = Number of decimal digits in prime factor of #E(GF(p)), 

• B = Lower bound on minimal extension degree for MOV attack, 

• C = Upper limit of small factor of order. 

Output 

• the prime p for working fielel GF{p), 

• a and b, coefficients of the constructed elliptic curve + ax + b, 

• ^E(GjP(p)), the order of the constructed curve. The order will have a large prime 
factor q such that (9 — 1) will be B-nonsmooth, 

• j-invariant of the constructed curve. 

Procedure ECFP(n,B,C) 

1. Begin 

2. Find randomly an n digit prime q such that <7 — 1 is B-nonsmooth. 

3. Set i:=l. 

4. Extract all discriminants of class number i from dictionary. If dictionary is exhausted 
then augment the size of the dictionary otherwise Set j;=l and Continue. 

5. If all the discriminant of class number i are not exhausted then assign the of the 
extracted discriminants to d and Set c:=l, otherwise increment i and Go to 4. 

6. if c < C then Continue, otherwise increment j and Go to 5. 

7. Call Cornacchia(c * <7, d). 

8. If CornacchiaO succeeds assign the solution to tt otherwise increment c and Go to 6. 

9. Check whether norm of {1 - ViTr) = p is prime for any of units Vi in O. If p is prime 
and ^ 1 mod{c * q) then continue, otherwise increment c and Go to 6. 
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10 . Compute all the primitive biliary form using pbqLcln(cf). 

11 . Compute the precision Prec{d) as given in Section 4 . 4 . 

12 . Choose a proper class invariant u? depending upon the discriminant and accordingly 
obtain new reduced precision Prcd{d). 

13. Set f{x) = 1 ; 

14. for k=l to i 

(a) Obtain N for computation of 77 ^ corresponding to binary quadratic forms. 

(b) Compute 'q{Tk) till first n terms with Prec'{d) precision. 

(c) Compute the chosen class invariant U 7 (Tfc). 

(d) Compute f{x) = f{x) * {x — u-?{Tk)) with above defined precision. 

15. Round off the coefficients of f(x) to nearest integer. 

16. Factor f(x) modulo p to obtain roots Xt,l < t < i. 

17. Pick any xt and coinpute jt, the j-invariant, according to chosen class invariant. 

18. Compute a and b as given in Section 4.5. 

19. Find out a point V= {x, y) on E:j/^ = x^ + ax + bhy solving this equation for y for any 
random value of x. 

20. Compute (c * q)P. If (c * q)V is point at infinity, then a and b are correct coefficients, 
otherwise find a non-square in GF{p) and compute a and b which will be the correct 
coefficients. 

21. End 

Curve construction over GF(2") 

In this case, we need to search discriminants of some particular class number as given in 
Section 4.2. Here, we briefly discuss different cases following the notation as used in Sec- 
tion 4.2. 

1. n = ht: In this case, we need to consider discriminant of class number h only and class 
equation will be a polynomial of degree h ( not necessarily irreducible over GF{2)). 
For obtaining j-iuvariant the class equation will have to be factored. 

2. n = h: 
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(a) n is prime; Here, the discriminant of class nnrnber n need to be searched and 
class equation will delinitoly be an irreducible i)olyiiomial over GF{2). Hence, 
the class equation can be taken as modulo polynomial for defining GF{2^). 

(b) n is composite: If n is composite then class ccjuation may be reducible over 
GF{2) and hence j-invariants will be obtained by finding roots of class equation in 
Gi^(2”); otherwise class equation can be taken as modulo polynomial for defining 
GF{2^). 

3. h — nt: In this case, class equation will be a polynomial of degree h and will be reducible 
over GF{2). If its factors are irreducible polynomials of degree n over GF(2) (which 
will surely happen if n is prime) then any of these factors can used for defining GF(2”) 
to avoid the factorization for j-invariant; otherwise the class equation will have to be 
factored over GF(2"). 

In view of these points, the algorithm will be as follows. 

Input 

• n = The extension degree of GF(2'^) over GF{2), 

• h = The class number of the discriminants to bo searched, 

• B = Lower bound on minimal extension degree for MOV attack, 

• C = Upper limit of small factor of order. 

• H = The modulo polynomial for GF(2"), if needed. 

Output 

• the modulo polynomial H for GF(2”) (if not given in input), 

• a and b, coefficients of the constructed elliptic curve E{GF{2^)):y'^ + xy — x^ + b, 

• #E(GF(2")), the order of the constructed curve, 'riui order will have a large prime 
factor q such that {q — 1) will be B-nonsmooth, 

• y-invariant of the constructed curve. 

Procedure ECGF2(n,h,B,C,H) 

( ** H is optional ** ) 

1. Begin 
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2. Extract all the discriminants of class number h from dictionary. If there is no discrim- 
inant then augment the size of the dictionary otherwise Set j:=l and Continue. 

3. If all the discriminant of class number h are not exhausted then assign the of the 
extracted discriminants to d, otherwise start again with augmented dictionary. 

4. if (d = 1 mod 8 and 3 J(d) then Continue, otherwise increment j and Go to 3. 

5. Call Cornacchia(2'^, d). 

6. If CornacchiaO succeeds assign the solution to w otherwise increment j and Go to 3. 

7. Check whether norm of (1 — ViTr) is equal to c + g or not for any of units Vi in O, where 

c< C, q is prime such that g - 1 is B-nonsmooth and ^ 1 mod{c * q). If all 

these conditions are satisfied then Continue otherwise Set increment j and Go to 3. 

8. Compute all the primitive binary forms using pbqLcln(d). 

9. Compute the precision Prec(d) as given in Section 4.4. 

10. Choose Yui-Zaiger’s class invariant U3 and obtain new reduced precision Prec'(d). 

11. Set f(x) = 1; 

12. for k=l to h 

(a) Obtain N for computation of 7?^^ corresi)onding to binary quadratic form. 

(b) Compute q(Tf;) till first n terms with Prec'(d) precision. 

(c) Compute the chosen class invariant U3 (t^). 

(d) Compute f(x) = f(x) * (x — ?i3(pfc)) with above defined precision. 

13. Round off the coefficients of f(x) to nearest integer. 

14. Now, determine the y-invariant as 48th power of root of class equation. 

15. Assign to a any clement of trace 1 or 0 as (c * g) = 2 or 0mod4 respectively and 

b := 

16. End 

We will discuss the implementation results in Chapter 7. In the next section, we discuss 
construction of supersingular curves over GF(2"). 
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4.8 Construction of Supersingular Elliptic Curves over 

GE(2”) 

Here, we briefly diseuss tlio prociHlure for const, ruction of snpersingular curves over Gi^( 2 "). 
For supersingular elliptic curves over GF( 2 "), the choice for selecting a curve is very limited 
as there are only 3 and 7 isomorphism classes for odd and even n respectively [Men 93 b]. 
The following table depicts all of these isomorphism classes with their order and degree of 
extension for MOV attack which is minimum integer such that ((2'')'= - 1) is divisible by 
#E(GF( 2 ”)). 


Curve E(GF(2'^)) 

11 

#E(GF( 2 ")) 

k 

2/^ + y = 

n = l?nod2 

2" + 1 

2 

y^ + y = ^ 

n = 1, 7 inod 8 

2” + 1 4. 2f"+')/2) 

4 


n = 3 , bmodS 

2» 4. 1 — 2f"+d/2) 

4 

+ y = + x + 1 

n = 1, TmodS 

2^1 4 1 — 2("+d/2) 

4 


n = 3 , bmodS 

2" 4 1 4 2(”'+’)/2) 

4 

y^ + 7 y = 

n = OmodA 

2" + 1 + 2"/2 

3 


n = 2 modA 

2” 4 1 _ 2"/2 

3 

y^ + 'yy = x^ + X 

n = OmodA 

2” 4 1 _ 2’^/^ 

3 


n = 2 modA 

271 4 1 4 277/2 

3 

y^ + 7 ^y = 

n — OmodA 

2“ 4 1 4 2'‘/2 

3 


11 = 27 nodA 

2’7 4 1 _ 2"/2 

3 

+ 

to 

II 

CO 

+ 

n = OmodA 

2” 4 1 _ 2^/^ 

3 


n = 2 modA 

2” + 1 + 2”/2 

3 

y^ + y = x^ + 6 x 

11 = 0 mod 2 

2" + 1 

2 

y^ + y = 

n = OmodA 

2’i 4 1 _ 2.2’'/^ 

1 


n = 2 modA 

2" + l + 2.2'^/2 

1 

y^ + 7^y = x^ + 0 ) 

n = OmodA 

2" + 1 + 2.2"/2 

1 


n = 2 modA 

2*7 4 1 _ 2.2”/^ 

1 


Table 4 . 1 : Representatives for Isomorphism Classes of Supersingular Curves 

Here 7 is a non cube in GF(2”) and X,P, 6 ,u} € 07 ^( 2 ”) are such that Tr{'y~^X) = 
l,rr(7-^/?) = l,re(( 5 ) # 0 and Tr{u}) = 1 , where 

Tr :9 > — )• + ^^' + . . . + 0 ^"“' , 

Te :9 ^ 0 ^“ + 0 ^’ + . - . + 
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Let us assume that a is generator of multiplicative group of GF(2"), then following algorithm 
gives 7 in GF{2^). 

Gamma(Q;, n) 

1. Begin 

2. for i = 1 to i = 2" — 1 
if (i ^ Omodd) 

then if (?; + 2” — 1 ^ QmodS) 

then if {i + — 2 ^ QmodZ) break; 

3. 7 = ah 

4. End. 

Rest of the elements can easily be computed. For example, tu is an element with trace 1, 
O' = w 7^,/3 = 017 '' and d is an ehunent such that Tc.{8) 7 ^ 0 . 

With this we conclude this chapter. We will discuss the implementation results in Chap- 
ter 7. 
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Chapter 5 

Elliptic Curves for Number Theoretic 
Computations 


Apart from their application in cryptography, elliptic curves are also useful from the point of 
various number theoretic computations. In the recent past, several efficient algorithms have 
been proposed for certain number theoretic problems, i.e. integer factorization and primality 
testing. In this chapter, we briefly survey these algorithms and discuss their complexity. 


5.1 Integer Factorization 

The problem of factorization of composite numbers have attracted the attention of great 
mathematicians throughout the ages. Eratosthenes (250 B.C.) gave a method for determining 
all primes below a given limit. In the early 13th century, Fibonacci pointed out that to 
determine the factors of a number n, it suffices to trial divide by the integers < -y/n- Gauss 
emphasized the importance of the problem of distinguishing prime numbers from composite 
numbers, and gave methods for reducing the steps in trial division. In 1640, Fermat also 
gave an algorithm which works as follows. 

Let n= {x + y){x- y). Starting from y = 0 till y = [y/n \ , test whether n + is a complete 
square or not. Once proper x and y are obtained, the factors will be given as {x + y) and 

i^-y)- 

More recently, the enhanced motivation for the study of the problem is the apparent 
security of the RSA public key cryptosystem based on the difficulty to factorize a number 
which is the product of two large primes. The issues related to computational complexity of 
various integer factorization algorithms have become very important. The above mentioned 
methods have the exponential complexity’ O(exp(l/21ogn)) and hence are impractical for 

’0(exp(c log n)) in general 
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large composite numbers. Though there is no polynomial time algorithm known for factor- 
ization, but recent progi esses in this area have reduced the coefficient from 1/2 to lower 
values. In the present time, the cjuadratic sieve and number sieve methods are considered to 
be best and have been used to factor 129 digit composite number and some special forms of 
155 digit composite numbers [Sim91]. The complexity of these method has been estimated 
as 0{exp{{c + 0(l))(ln7z)“(lnlnn)* “)). By giving some heuristic arguments c = 2.08 and 
a = 1/3 have been attained [SimOl]. 

For some special form of integers, other algorithms also give noticeably good result. 
Among these Pollard’s p - 1 method [Gre93, Ste85, PS93] was considered to be best. We 
give a brief description of this algorithm. Let Af bo a B-smooth integer, i.e. every prime 
factor Pi of A<f will be less than or (Hiual to B. I'hus 

M = JJ Pi’ with Cj > 0 

Pi<B 

The probability that a random number M < x is B-smooth is approximately it““ for u = 
logx/ log B. Now, suppose that composite number n is such that it has a prime factor p for 
which p — 1 is B-smooth. Define 

M = pLiog"/>ogPiJ 

Pi<B 

The exponents of Pi have been chosen so that we can guarantee that p - 1 divides M. In 
particular, for any integer a with gcd(a,p) = 1 

qP-i = ^ p 


and so 

= 1 mod p 

To find p then, the method first computes d = — 1 {mod n) for some random a (say 2); 

secondly it computes the highest common factor of d and n. This will normally be p unless 
there are other primes pi dividing n for which the exponent of a mod Pi divide M. 

The time for this algorithm is domijiated by the time to comjzute a"* modulo n. This 
algorithm requires (D(Il(logn)'^/ log B) modulo n multiplications. These modulo n multipli- 
cations can be performed efficiently using Montgomery scheme [Mon85] for modulo arith- 
metic. In view of the earlier remark about the rarity of the B-smooth numbers, this method 
is not worth implementing unless it is known that, for some small B, p - 1 is B-smooth. 

Lenstra’s elliptic curve factorization method [Ste85] is based on the same idea but resolves 
this problem by using elliptic curve group over Z„. This method succeeds if the order of the 
curve is B-smooth. The advantage of this method is that there are large number of different 
curves E that can be tried, each with potentially different value of order of curve. Explicitly, 





the method is as follows: 


Procedure ECFACT(n) 

1. Begin. 

2. Choose a value for B and let M = lan{l, 

3. Choose an elliptic curve E randomly with integer coefficients and a point P on the 
curve modulo n. 

4. Compute MV modulo n using the formulae given in Chapter 3. If the slope m of 
tangent while adding two points is infinite, then prime factor p of n will be ged of 
denominator and n. If slope computation does not fail, then Go to step 3 and choose 
a different curve E. 

5. End. 

The correctness of this algorithm can be verified from the fact that if point at infin- 
ity is attained while carrying out the computation of MV then the slope m for the line 
passing through the points being added at that time will have denominator which will 
not be relatively prime to n. In other words, denominator will have a factor of n as the 
factor. Numerous choices of elliptic curve order over Zn make this method very attrac- 
tive as compared to Pollard’s method. The complexity of this algorithm is estimated as 
0{exp{^log n log log n) . In practice, however, this method also does not give as good 
results as it promises for very large composite numbers. The reason for this is the rarity 
of B-smooth numbers. A significant improvement may be achieved by constructing curves 
with B-smooth orders over Z„ using the method given in Chapter 4, though constructing 
curves with given n and order may require very long time. It should be noticed that all the 
arguments which were given for fields in Chapter 2, will also hold for ring Z„ is well. That 
is, if n splits in principal ideals in any quadratic imaginary field IC{\/d) into principal ideals 
n and n' then 

(n) = nn'. 

Here n and n' will not be prime ideals. If n splits in Hilbert (or ring) class field H into ideals 
24) then 0-^/% will be a ring as 04; is not prime ideal. The number of elements in this ring 
will be norm of 04; which will be equal to n. Hence reduction map will give an elliptic curve 
over Z„. 
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5.2 Primality Proving 

Primality testing is the most flourishing field in computational number theory. Though the 
integer factorization is very diflcult but primality testing is relatively much simpler. For 
primality proving several probablisitc and deterministic algorithms are available till date. 
Probabilistic algorithms, like Pabin Miller Test [Gre93, BS9G] etc, tell with certainty about 
the compositeness of any number but primality is not certain. These algorithms are much 
faster than deterministic algorithms. We first give the Lucas theorem [Gre93, BS96, AM93, 
PS93] which is core of many deterministic and probabilistic primality testing algorithms. 

Theorem 5.1 If there exists an a r-elatively prime to n such that = 1 mod n but 
^(n-i)/q ^ I Jqj. QyQj-y pyiyiQ divisor q of n- 1, then n is prime. 

For more optimal form of this theorem please refer to [Wun83]. Now, if n is to be tested for 
primality then we require prime factors of (n- 1) so that Lucas test can be performed. Now, 
we go by a downrun process [Wun83] in which we first find small factors of (n — 1) less than 
some limit (which is computationally easier) and then carry out the Lucas test for all the 
factors. If test fails then n will be composite, otherwise we proceed with primality proving 
of indecomposed factor of (n — 1). Hence, this will be recursive procedure in which the size 
of the integer to be l,ested for primality will reduct; with each stc^p. It should be noticed that 
success is not guaranteed in this process as at any stage it may happen that indecomposable 
factor is composite and contains two large prime as factors. Hence, in such a case, algorithm 
will fail because factoring such an integer will be very difficult. Hence, the success of this 
method is largely dependent on the fact that no (n,- - 1) should come across in the downrun 
process which contains two large prime factors. Please refer to [Wun83] for more detail. 

We will now see that an elliptic curve analog of this method overcomes this problem to 
a great extent. Let us first see GoldWasscr-Kilian theorem [AM93]. 

Theorem 5.2 Let n he an integer prime to 6, E be an elliptic curve over hn, together with 
a point V on E and m and s two integers with s|m. For each prime divisor q of s, we put 
{m/q)V= {xq,yg,z^). We assume that mV = O arid {m/q)V^ O for all q. Then, if p is a 
divisor of ii, one has #E(GF{p))^ 0 mod s. 

A closer look reveals that this theorem is a result of discussion in previous section. We also 
have: 

corollary 5.1 With the same conditions, i/s > (^+ l)^ then n is prime. 

Combining this theorem with School’s algorithm [Sch85] which computes the order 
#E(C?F(p)) of the curve in 0((l6gP)®+') steps, we obtain the Goldwasser-Kilian algorithm. 
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Procedure GK(n) 


1. Begin. 

2. Choose an elliptic curve E over Z^, for which the numbers of points m (computed with 
Schoof s algorithm) satisfies m = cq, with c a small integer and q a probable prime. 

3. If m satisfy the condition of the theorem and corollary with s = m, then n is prime, 
otherwise it is composite. 

4. The primality of q is proved in the same way. 

5. End. 

We see that the problem of limited choices for factors in the downrun process in the method 
mentioned earlier is overcome, as there are plenty of numbers to try. It should be noted 
here that downrun process is primality proving of q, because for a given q this algorithm will 
prove the primality of n in second step. Succesive downrun will reduce the size of q and once 
this chain of primality proving terminates, the primality of all earlier q will be obvious. If 
it so turns out in any step that any q is not prime then in the previous step order m should 
be changed with some other probable prime q, which will continue the downrun process. 
An astute observation reveals that q in each step is taken to be prime because it, in a way, 
avoids the factorization. Had the factorization been a simple task, we would have gone with 
it for testing the condition of the above theorem and corollary. 

The problem with GK is that Schoof’s algorithm is quite expensive n time in actual 
implementations. If we, instead, use the curve construction algorithm with known order 
then this problem will also be rectfied. Hence, contrary to what we do in procedure GK(n), 
we begin with some particular order and then find the related Weierstrass equation. The 
modified algorithm is as follows. 

Procedure ECPP(7i) 

1. Begin. 

2. Set i := 0, rij ;= n,FLAG=0; 

3. While(FLAG=0) 

(a) Set primejn = 0 and Search a discriminant such that rii is expressible as norm. 

Denote the solution as tt. 
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(b) Find all the choices of the order for each unit in corresponding order^. If any 
order rm is not factorable into Fini+^ where Fi is completely known factor and 
Hj+i is probable prime, then Go to step 3.1 and try with some other discriminant; 
otherwise (i.e. proper factors are found) continue. 

(c) Store 

(d) if rii+i is prime then Set FLAG=1. 

(e) Compute the class cijuation and curve eciuatiou as dicussed in Chapter 4. 

(f) Find a point V on the curve. 

(g) Check the conditions of theorem and corrolary with s = n^+i and m = rrii. In 

other words, check 0,mV = 0 and s>{^+ 1)2. If all these conditions 

hold then Set i := i + l^primeji — 1 and Go to step 3; otherwise Go to one 
iteration back in this loop and try with some other trii-i so as to have different 
Ui. If 7 - 1 is negative the Set prime. n := 0 and Go to step 4. 

4. If prime.n = 1 then n is prime otherwise composite. 

5. End. 

The complexity of this algorithm has been shown to be O((logn)®+'). 

In the next section, we discuss an algorithm for finding square root in GF{p). 


5.3 Square Root Modulo p 

In [Sch85], School discusses an algorithm which begins with finding Frobenius element for 
elliptic curve over some suitable extension of GF{p) which has complex multiplication with 
an order of discriminant x where x is the integer for which square root needs to be found. In 
fact, there is no need to go by the Schoof’s method which unnecessarily adds extra overhead. 
By the theory discussed in Chapter 2, wc know that Schoof’s interpretation were correct but 
not necessary. We give here an outline of the modified algorithm. 

Let = X mod p. Then, we try to look for a minimum integer k such that p*’ splits into 
principal ideals in an order of discriminant x in the quadratic field K[^/ square free part of or), 
In such a case, can bo written as 

4p'^ = - xb'^ 

Where a, 6 gZ. Hence, it is easy to see that = xb"^ mod p, which means that t — ajb mod p. 
The search for proper extension should be begun with A: = 1. If p splits into principal prime 
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ideals in quadratic field )C{\/ square free part of x), then a proper soultion will be found 
for fc = 1. The Cornacchia s algorithm discussed in Chapter 4 can be used for finding the 
solution. 
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Chapter 6 

On Efficient Implementation and 
Smart Card Design 


So far we have discussed how a cryptosystem cati be constructed using elliptic curves over 
GF{2^) and GF{p), and how the curve should be selected to ensure the security under the 
known attacks. In this chapter, we concentrate over various issues related to software and 
hardware implementation. Here our major focus will be upon the efficient arithmetic in 
GF{2^) & GF{p), and selection of field and elliptic curves suitable for smart cards. In the 
first section, we give an introductory overview of smart cards. 

6.1 Introduction to Smart Cards 

Over the last few years, the computers and internet have become essential part of daily life. 
This inevitable invasion has led to an increase in demand of secure information and financial 
transaction over an electronically connected network. Apart from the banking applications, 
pay channels, telephones etc also demand the security. All these has led to heightened 
demand of smart cards which are equipped with cryptographic algorithms. A smart card 
is a multipurpose, tamper resistant security device. It is very much similar to credit cards 
but also possess storage and processing capabilities and can perform various cryptographic 
operations. The smart cards offer an economic and convenient solution to the problems 
of user authentication and has got plethora of applications including banking transactions, 
areas of health, mobile telephones and pay channels. 

Traditional financial cards are magnetic strips cards {Sim91, DVJ96] which does not have 
processing capabilities but can store small amount of data. The scope of sudi cards is limited 
to very few applications. The additional ability to compute and interact in a system gives 
smart cards access to powerful cryptographic algorithms and improves the flexibility, security, 
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Figure 6.1: Component of Smart Card 

and reliability of the system, or card. They make possible digital signatures, encryption, 
decryption and data access control. The advantage with the smart cards is that secret 
information never leaves the card in unencrypted form and moreover, each time encrypted 
data is different from what was used earlier. For more information on smart cards please 
see [Sim91, NM95, Kon91, dWQ99, FOM99, DVJ96, AMV93]. 


6.1.1 Components of Smart Card 

The smart card looks like a credit card (see Figure 6.1). A rectangular plastic card supports 
all the electronic components. This plastic card also contains information concerning the 
application and issuer and also the information about the card holder. The following^ 
the components of the smart card as specified by International Standards Organization (ISO 

7816). 


The smart cards coulains oight conlads at the left cornet as shown m Figure 6.1. 
The card communicates with external devices via a serial port (I/O in Figure 6.1)^A com- 
mon bit rate is 9600 bps but nmeh faster rate (upto 116200 bps) are also used m tnU 






3,ccorcl3'iicG witli stciiicl<n(ls. llio contdctlcss iiitcrfuccs Rrc ciiso in pmcticG which use F{,F 
signals to communicate. This feature increases the life of the smart cards. Other contacts 
are for clock signals, oV jrower supply, reset and ground. The contact VPP is for program- 
ming the EPROM located on the card. The rest two contacts are not being used presently. 
Between these contacts, 2277wn space has been provided for other electronic components. 

Microc ontroller 1 he heart of the smart card is a microcontroller. The card’s microcon- 
troller executes the cryptographic application i)r()grams which are stored in ROM at the time 
of the manufacturing. It receives power and incoming data from external devices through 
contacts provided on the smart cards. Presently 8 bit microcontrollers are in use, the most 
common cores being Motorola’s 6811005 and Intel’s 80051. The development of 32 bit mi- 
crocontroller is in progress for smart card applications [Oas94]. The 32 bit microcontroller 
will lead to significant improvement in the processing i)ower of the smart card. Since the 
processing power of the card’s processor is restricted due to several technological constraints, 
selection of a cryptographic algorithm is a very important issue. Presently RSA is in wide 
use for smart card applications, but we will see later in this chapter that elliptic curve public 
key algorithms arc better choice for smart cards. 

Coprocessor Since the public key algorithms are computation intensive, sometimes a co- 
processor is also interfaced with the main processor to carry out the arithmetic operations 
involved in cryptographic protocol. The coprocessor is specifically designed to perform the 
required arithmetic efficiently. In RSA algorithm based smart cards, the coprocessor is de- 
signed to perforin 512 bit integer modulo arithmetic. For cryptosystems based on DLP in 
GF(2”), the coprocessor is designed to perform arithmetic of 700 bit long elements. Since 
space available on the srnart card is very limited (22mm^), it is very difficult to design the 
coprocessor to perform arithmetic of such a large elements efficiently. Here, elliptic curves 
cryptosystem promise lot of scope as they require arithmetic of much smaller elements for 
the same level of security. Hence, the complexity of coprocessor is reduced. The size of the 
elements involved in arithmetic is so small (130 bits) that if the 32 bit microcontrollers are 
used then the main processor can be {irogrammed to perform the required arithmetic, hence 
avoiding the need of coprocessor. 

Memory The card contains RAM, ROM and nonvolatile memory (EPROM or EEPROM). 
The space requirement of memory is a critical issue in designing the smart cards as very little 
space (22mm^) is available on the card. The typical values (in Bytes) for the size of these 
memories are 128, 3K and 4K respectively. The ROM contains smart card operating system 
written by mask during the chip manufacturing process. The RAM contains the intermedi- 
ate results of the computations. The EEPROM contains the user-specific data individual to 
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each card. The EEPROM rcciuircs same power supply as that used for microcontroller (5V) 
and can be written or erased many times. The some portion of the EPROM is not accessible 
to external world which contains the secret information. Many precautions are taken while 
manufacturing the memory and other devices for smart card so as to avoid the possibility 
of the secret information getting leaked even if the cards gets into the hand illegitimate 
persons [Sim91]. 

Random. Nunrbsx. Qsnsrator I he random number generation is very important for any 
public key cryptosystem as we discussed in Chapter 3. This unit is not required if the random 
number can be generated by a software program. The security of a public key cryptosys- 
tem is largely dependent upon the randomness of the generated numbers. [KnuSl] discusses 
various techniques for random number generation. Since in practice it is not possible to 
generate the perfect random numbers, there must be some mechanism incorporated to avoid 
the repetition of the sequence. One possible way is to update the seed for random number 
generation by a counter which changes the count with processing. 

6.1.2 What Can A Smart Card Do? 

The main purpose of the smart card is to authenticate the card holder to a system which is 
located at a remote place [Sch89, Miy92]. The smart cards are first initialized with proper 
keys so that a secure communication can be done using a cryptographic algorithm. The smart 
cards are inserted in a device called smart card reader (also electronic fund transfer machine 
in financial transaction). Once a smart card is inscuted, the following authentications are 
done; 

• User to Smart card : Every user is given a number called personal identification number 
(PIN). Using this PIN smart card identifies the user. The bfisic drawback with PIN 
is that it needs to be remembered and if it leaks out then the correct authentication 
will not be guaranteed. Instead of using PIN, biometric techniques, i.e. voice, finger 
print, are also used. But these techniques require more memory. 

• Smart card to Remote System : Once the user verification is done, an authentication 
process is performed using cryptographic algorithms to prove the validity of card to 
remotely located system. 

• Remote System to Smart Card : Similarly, a protocol is run to authenticate the system 
to card. 

Once all of these processes arc done successfully, the user is granted access to the system 
and further communication can take place. In the next scc,tion, we discuss a protocol for a 
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smart card in detail which uses an elliptic curve public key algorithm. 

6.2 Elliptic Curve Based Smart Card 

Here we discuss how an elliptic curve public key algorithm can be employed in a smart card 
to perform the tasks mentioned in the previous section. Various issues related to smart card 
design and efficient implementation will be discussed in the sequel. 

If the data encryption is not required then Sc.norr’s sc.heme is a better choice to ElGamal’s 
scheme as it requires less data to be transferred and the signature generation involves only 
one kV type of computation. The verification of signature generation requires two such 
computations but one of them requires less computations. Whenever the data is to be sent 
in encrypted form then ElGamal’s algorithm can be used. Now we discuss the ElGamal’s 
scheme for authentication only. Here no message will be involved and the process will be 
very much similar to Diffie and Heilman’s key exchange protocol. 

Let u Sz U {= up) and s k, S {— sV) be the private and public keys of the user and 
remote system respectively. V is the base point. The remote system maintains a data base 
for the public keys of the user. The following information is required to be stored in the 
card’s memory. 

• PIN number. 

• Card’s identity number. 

• The field parameter, (p for GF{p) and modulo polynomial for GF{2^)). 

• The coefficients of elliptic curve equation. 

• The base point V. 

• The size (number of the bits) of the order of the elliptic curve. 

• The secret key u. 

• The public keys U and S. 

A typical example of financial transaction through verification by smart card goes as given 
below. 

1. User to card authenticatiom User inserts the card in a smart card reader and enters his 
PIN. If the PIN matches with that stored in smart card memory, the process proceeds 
further otherwise terminates- 
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2. Card to system authentication : The card sends its identity iiiunbcr (not PIN) to sys- 
tem. 

(a) The system finds a random integer k, and computes the kV. The kV is sent to 
the card. 

(b) 1 he card computes ukT^ using the secret key and sends it back to system. 

(c) The system computes klA and compares with uk'P received from the card. If the 
match is successful tlien the system can be sure of validity of the card. 

3. System to Card authentication : 

(a) The card finds a random integer k, and computes the kV. The kV is sent to the 
system. 

(b) The system computes skV using the secret key and sends it back to card. 

(c) The card computes kS and compares with skV received from the system. If the 
match is successful then the card can be sure of validity of the system. 

Once the system and card authentication is done, the transaction can take place. The 
transaction data can be sent in encrypted (ElGamal’s scheme) or plain text format (Schnorr’s 
scheme) depending upon the requirement. The signature must always be put over each 
transaction data to ensure the authenticity throughout the process. 

The microcontroller of the smart card is programmed to perform all the computations 
required in the above protocol. The application program is stored in either ROM or EEP- 
ROM. Apart from the security aspects, the encryption and decryption rate is also a major 
criteria for selecting any algorithm for cryptosystem. The throughput of any cryptosystem 
depends upon the complexity of the basic operation involved in encryption and decryption, 
which in case of RSA and elliptic curve cryptosystems are modular exponentiation and com- 
putation of multiple of a point {kV) respectively. These operations are performed in terms of 
arithmetic of underlying field. The smart card often employs a coprocessor to carry out the 
computations involved in the public key algorithm. For RSA algorithms the coprocessor per- 
forms modulo exponentiation of at least 512 bit long int(!gers. If an elliptic curve is selected 
over GF{p) or GF(2’‘) such that the size of the field is of the order of 10'^° (or greater) and 
all the conditions mentioned in Chapter 3 are satislied then the corresponding cryptosystem 
will be secure. Since the elliptic curve public key algorithms require arithmetic of much 
smaller integers (or element? in GF(2")) for the same level of security, the complexity of the 
coprocessor reduces significantly. 

The EEPROM contains all the information sjuxilic to user and algorithm, i.e. public 
key, private key, algorithm parameters. Sometimes it also contains fb® application programs. 
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Since the size of tlie availabh^ nuunoiy is limited, tlu' storage' leepuremeiits of any public key 


algorithm is also one of the major criteria for its selection for smart card. 

Hence we see that in designing smart cards the storage requirements and the computa- 
tional complexity of enciyption and decryption are major issues. The computational aspects 
is handled by the copiocessor which is designed to perform the arithmetic in underlying 
field. Hence the efficiency of cryptosystem, in terms of implementations, is related to com- ' 
plexity and efficiency of the coprocessor. Now we focus our attention to various techniques 
for efficiently implementing elliptic curve arithmetic in hardware and as well as in software. 
Later on we will combine all the results to show the feasibility of employing elliptic curve 
public key algorithms in smart cards and compare them with other algorithms to show their 
superiority. 


6.3 Efficient Computation of Multiple of a Point 

As discussed in Chapter 3, computation of kV for a given integer k and a point V on elliptic 
curve is the basic operation in ElGamal’s and Schnorr’s algorithm. In this section, we discuss 
various techniques for efficient computation of kV in hardware and software implementation. 

Since this computation is equivalent to exponentiation of integers, an analog of square 
and multiply [KnuSl] for (ixponentiation, named accordingly as double and add, can be used. 
If 

t-i 

k = Y.kiT kie{0,l} 

then ^ ^ 

kV = j2ki{TV) 

i—0 

Hence, we see that if A: is a t bit integer then computation of kV requires t — 1 doublings 
and at the most t-1 additions (not doubling). The number of additions is equal to number 
of ones in binary expansion of k. This algorithm is very useful for hardware implementation 
as it does not require any precomputations or extra storage. We will see in next section 
that doubling of a point in an elliptic curve group is much cheaper as compared to addition. 
Since in this algorithm, doubling is used to reduce the number of steps required in total 
computations, this algorithm becomes more attractive in view of above statement. 

As we have seen in Chapter 3, the addition of a point is as expensive as subtraction 
because inverse of a point V (OV) can be computed at the cost of one addition in underlying 
field. Recognizing this very fact, we can improve the above algorithm by introducing a minor 
variation. This modified algorithm reduce the number of ones in the binary representation 
of k by using both subtraction and additions. In this algorithm the binary form k is rewritten 
as follows. Starting from the LSB side, bits are grouped in pair of two bits (as if k is written 
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with respect to base 4 with coefficients 0,1, 2, 3 in binary form). Now, whenever a pair of bits 
consists of two ones (coefficient 3 in base 4 representation), it is replaced by (0,-1) and 1 is 
added to next 2-tuple as carry. Whereas other 2-tuples, i.e. (0,0), (0,1), (1,0) are not changed. 
This process continues till MSB is reached. The example given below illustrates this clearly. 

Example 

Let k = 98474747. Then 

A: = M.Q11101iil0100110100101111il01i 

For this value of k double and add method will require 30 doublings and 21 additions. 
However, if we write k according to modified double and add method then we get 

A: = QllQ-^Qll04^0ll0100110100110-(^004i-00-^Ol-(^Ol 

Here, 1 represents —1 and ^ indicates flow of carry from right to left. Removing the arrows, 
we get 

A: = Q1100ll0()Ii01() 01 10 10 01 10 00 00 Ol (U 

Now, for the same value of k the kV can be computed with 30 doublings , 10 additions and 
4 subtractions. Since, computationally subtraction and addition are same, it requires 7 less 
additions as compared to that required in double and add method. 

If k is represented by a string of only ones, then this method shows great improvement 
because for /c = 2‘ — 1 simple double and add method will require t — 1 doublings and t 
additions, whereas modified version will require t doubling and 1 addition. In the worst case 
{k is represented by alternate 1 and O’s), the modified version will be same as simple binary 
method. Experimentally we have found that on average total number of additions required in 
computation of kV are one third of number of bits in binary representation of k. This method 
is suitable for hardware implementation as it does not require any precomputation results, 
except for modified form of k which is insignificant in comparison to total computations. 
In fact, the precomputation of the rearranged form of k can be avoided by using following 
approach. 

Procedure Computekp(/i:, V) 

1. Begin. 

2. Sum = O. 

3. while (A: > 0) 


(a) hitjpair = k AND 3. 



(b) k = k/A. 

(c) If {bit -pair == 3) then Sum = Sum 0 {eV) and k = k+l. 

(d) If {bit-pair == 1) then Sum = Sum 0 V. 

(e) V = V®V. 

(f) If {bit-pair == 2) then Sum — Sum 0 V. 

(g) V = V®V. 

4. End. 

Though, the abovc^ l.wo nuithod c.an be used (or Ro(twa.r(; itni)](!inentation as well but the 
speed can be improved significantly by using other methods based on storage of precompu- 
tations. Since memory is not a problem in software implementation, the precomputation 
storage based methods are preferred for software implementations. Some of these algo- 
rithms are addition chain [KnuSl], signed binary window method [KT92] , vector addition 
chains [Roo95]. 

In the next section, we give the addition formulae in projective coordinates. 

6.4 Addition Formulae in Projective Coordinates 

Prom implementation point of view, it is desirable that for any cryptosystem the encryption 
and decryption must be simple and fast. Wc have already discussed the security aspect 
of elliptic curve based public key cryptosystems. In this section we explain alternative 
techniques for addition of points. 

As we have seen in Chapter 3, the addition of two points requires computation of inverse 
of an element in underlying field. The computation of inverse is very expensive in terms of 
time. Here we give the addition formulae in projective coordinates [Men93b, AMV93, Miy92] 
to avoid the need of computation of inverse in every addition or doubling. An inverse 
computation will be required in computing the affine coordinates from projective coordinates 
and hence, only one inverse computation will be recpiinHl in computation of 'P. We adopt 
the following notations. 

V,Q,n£ E and V= (Xi, Yi, Zi), Q= and 11= {X^^Yz^Zz) with Xi,Yi,Zi are 

element of the field of definition. 

For curves over GF{p) 

Let the equation of the elliptic curve be given by 

Y'^Z = X^ Y aXZ"^ A-bZ^ where a, b € GF{p) 

n 



The inverse of i)oiiit. 'P— OP~ (A'l, - 
If ©Q, P¥^ Q a-nd P + Q = Tl then 

A'3 = vA, 

Is = u{v'^XxZ2- A)-V^\\Z 2, 

. As = V^Z,Z2 

where u = Y2Z1 - Y1Z2, v = A2A1 - X1Z2, t = X2Z1 + Ai As, A = u^AiAs - vH. 

UP = Q then 

As = 2uv, 

Fs = <(4A - n) - 8FV, 

As = 

where v = FiAi, u — — 8 ^ 4 , A = AiFir;i, t = aZ\ + SA^. 

Here, we can see that while computing kP the inverse computation is avoided in each ad- 
dition. The inverse operation is needed to compute the affine coordinates by substituting 
X = A/A and y = Y jZ. In the above expressions, number of multiplication can be reduced 
further if one of the A-coordinate is taken to be one, i.e. affine coordinates. This can be 
done because in the computation of kP, whenever I or T is come across either P is added or 
subtracted. Hence, if P is taken in affine coordinate then corresponding A-coordinate can 
be taken 1. 

For curves over GF(2”) 

Let the equation of the non-supersingular elliptic curve be given by 

F^ A + AFA = A^ + aX^Z -I- bZ^ where a, b G GF(2”) 

The inverse of point P= QP= (Ai, Ai -f Fj, Ai). 

If Pj^ QQ, Pj^ Q and P + Q = K then 

A3 = AD, 

Fs = CD + A\BXi + AY)Z2, 

A3 = A^ Zi Z2 

where B = F2A1 -h Fi Aa, A = AjAi + Ai A2, C = A + B, A'^{A + aAiAa) -h Z1Z2BC. 
UP =Q then 

A3 = AB, 

F3 == XtA + B{XlAYiZiAA), 

Aj A^ ; . ■ 
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where ^ = XiZi, B = bZi+Xl 

All the above mentioned argument hold here as well. If we compare this addition formulae 
with that for affine coordinates then we can see that in spite of few extra multiplication this 
is still cheaper. 

For supersingular elliptic curve, the equation is given by 

Y^Z + aY Z^ = + bXZ^ + cZ^ where a, b,c £ G F(2”') 

The inverse of point P= QP= (Xi,Xi + Fi, Zi). 

If P^ OQ, P— Q and P + Q = P then 

X3 = AB^ZiZ 2 +A\ 

^3 = B{A^{Z2 + A) + B^ZiZ 2) + A^{Y\Zi + aZiZ2), 

Zj, ~ A? Z1Z2 

where B — ^2^1 d" Y^iZ2, A = X2Z1 + XiZ2- 

UP = Q then we need not go for projective coordinate as doubling operation requires inverse 
of coefficient a which can be precomputed. Hence, Zi and Z2 can be taken to be 1. The X 3 
and F3 are given by following expressions. 

_ Xi+b^ 

y, = Yi±l^x,+X3) + Y,+a. 

a 

For supersingular curves, the doubling operation requires two multiplications and few squar- 
ings (which require just one clock cycle, sec Section G.C), and addition requires 10 multi- 
plications. Hence the addition and doublings can be done more efficiently for supersingular 
curves over GF(2") as compared to non-supersingular elliptic curves. But since the MOV 
reduction attack is a serious threat for supersingular curves, the curve and working field 
should be selected such that security of the cryptosystem remains unquestionable. 

6.5 Efficient Arithmetic in GF{p) 

In Sections 6.3 and 6.4, we discussed the efficient techniques for computation of kP and 
addition of points. Since additions requires arithmetic in underlying field, the efficiency of 
cryptosystem is largely dependent upon it. In this section, we discuss the implementation 
issues of basic arithmetic operations in GF{p). 

The basic arithmetic operations in GF{p) is modular multiplication and addition. Other 
operations like square root mod p, inverse of an element etc can be computed in terms of 
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these. Hence, any improvement in these two basic operations will lead to enhancement in 
performance of overall system. In fact, the modular addition (or subtraction) is not much 
different then simple addition (or subtraction) except whenever the result exceeds the modulo 
integer p (or goes below p), p is subtracted ( or added respectively) from it. Hence modular 
addition can be done at the cost of one comparison other than the simple addition. 

But the multiplication modulo p is very expensive computationally because once the two 
integers have been multiplied, their modulo reduction can be done by trial divisions which 
are computation intensive operations. In 1985, Montgomery [Mon85] introduced a scheme in 
which the modulo multiplication can be done at the cost of one extra simple multiplication. 
We here discuss the Montgomery scheme for multiprecision arithmetic [DJ91] which is of our 
interest because the prime p will be of at least 130 bits. 

This method requires, first of all, the problem variables to be transformed into a special 
p-residue form. To form the montgomery representation, we choose some R such that R> p 
and relatively prime to p {gcd{R,p) = 1). By choosing R to be some power of 2, division can 
be made inexpensive since division by any power of two means just right shifts. An integer 
X in Montgomery representation is given by 

Xra = xR mod p 

We translate normal integers to Montgomery representation, do our multiplications with this 
new representation, then translate back to the normal representation. Since R and p are 
relatively prime, these functions are one to one on {0,l,2,...p— 1}. All these integers have 
a unique representation. To convert from Montgomery representation to normal represen- 
tation, we find the inverse of R mod p under multiplication mod p. Let it be R!. Then the 
inverse of Xm is 

X = XmR' 1^^'Od p 

In multiprecision case, the parameters p, R and the input X are multiple-precision integers 
and hence involve multiprecision arithmetic. That is, an integer x is represented as a sequence 
of digits xq,. . . , Xn-i where 

X = Xn-lb^~^ + : +X\b + Xq 

and b is the base, typically a power of 2 (word size of the processor) and n is the number of 
digits. Also we choose R=b'^. The algorithm for modular multiplication is given as below. 
The result would be in Montgomery representation. 

Procedure Montmuit(A,B) 

(** A and B are in Montgomery representation **) 




1. Begin. 


2. Po ;= -Po ^ ''^‘Od b. 

3. r ;= 0. 

4. for i := 0 fo — 1 do 

(a) T:=T + Ai*B* b\ 

(b) rrii := Ti * Pq mod b. 

(c) T :=T + rrii * p* b'’. 

(d) end. 

5. T := T/R. 

6. End. 

Here, we can see that this method requires 2 multiplications to perform one modular 
multiplication, which is cheaper than trial and division based modulo reduction. The division 
by R in last step is simply right shift operation of bits, and hence can be done quite easily 
both in hardware and software implementation. [KABSK96] includes a comparison of few 
variants of Montgomery . scheme for efficiency in tiTiio and space. Though the significant 
work is being done in developing hardware for Montgomery multiplication but it is better 
to write a module in assembly language over some DSP processor which can perform 32- 
bit multiplication in one clock cycle. If p can be represented by n blocks of 32 bits then 
this will require (2n^ + n) 32-bit multiplications. Hence the total number of clock cycles 
required will be of the order of 0(2n^+n). In comparison to this, the number of clock cycles 
required to perform Montgomery multiplication in hardware equals the number of bits in 
binary representation of p. For example, if p is a 120 bit prime then hardware scheme will 
require 120 clock cycle whereas the DSP based implementation will require approximately 
40 cycles. 

Other than modulo multiplications, computation of square root modulo p and inverse 
of an element is also needed in cryptosystem impknnentation. We discussed one scheme for 
computing square root modulo p in Chapter 5. Ihe inverse of any clement can be found 
using extended Euclidean algorithm [KnuSl]. 

All of above schemes involve simple multiprecision multiplications. Recognizing the fact 
that squaring is much simpler than multiplication, following observations leads to signific 
improvement. Let 

n— 1 

m = ^ 

1=0 


m 



Then 


, . "-2 u-l 

m = + 2 ^ nii^ Y, rnjV- 

^=0 i=l 7”=j+l 

[KniiSl] and [Zur94] contains scveial other algorithms for efficient multiplication of large 
integers. 

6.6 Efficient Arithmetic in GF(2”) 

The finite field C?T’(2") is very attractive for hardware iinpleincntation as its elements are 
represented by a string of ii bits and concerned arithmetic oi)erations are done using logical 
gates. The field GF{2^) is an nth degree extension of GF[2) and is defined by a primitive 
polynomial of degree n over GF{2) [Men93a, LN94, McE87]. Let J{x) be such a polynomial 
and o; be a root of this polynomial in GF{2^) then any ft eGF(2") can be written as 

71-1 

ft ftioi^ where fti € GF{2) 

i=0 

If a is known then ft can be represented by the coordinates {/li} only. This representation 
is called standard basis representation. Obviously, the addition of two elements will give 
the third element whose coefficients will be bitwise modulo 2 sum of the coordinates of 
the two elements involved in summation. In other words, summation of two elements is 
equivalent to bitwise XORing of coordinates. The multiplication of two elements is equivalent 
to multiplication of two polynomials of degree n — 1 modulo /(a). 

Let A = (ao,... ,an-i), B = {bo,-- - ,hn-i) and C = (cq, ... ,Cn-i) be their product. 
The following algorithm, which is suitable for both hardware and software implementations, 
can be used for computation of C- Here / = (/o, • . . , jn) denotes the coefficients of modulo 
polynomial. 

Procedure GF2PROD(A,B) 

1. Begin. 

2. Set C= (0,...,0). 

3. for i = 0 to n — 1 

(a) begin 

(b) if {bn-i-i = 1) then 

if {cn = 1) their C = C ® / © 

else C = C ® A. 

else if (cn = 1) 0 = C ® /. 
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Then 


?n^ = ^ ^ ^ ^ rrijb’. 

i=0 z=l 7=j-fl 

[Knu81] and [Zur94] contains several other algorithms for efficient multiplication of large 
integers. 

6.6 Efficient Arithmetic in GF{2'’^) 

The finite field GF(2") is very attractive for hardware implementation as its elements are 
represented by a string of n bits and concerned arithmetic oi)erations are done using logical 
gates. The field GF{2'^) is an nth degree extension of GF{2) and is defined by a primitive 
polynomial of degree n over GF{2) [Mcn93a, LN94, McE87]. Let f{x) be such a polynomial 
and O' be a root of this polynomial in GF{2^) then any /5 eGF(2") can be written as 

n-1 

ftGGF(2) 

1=0 

If a is known then j3 can be represented by the coordinates {(5i) only. This representation 
is called standard basis representation. Obviously, the addition of two elements will give 
the third element whose coefficients will be bitwise modulo 2 sum of the coordinates of 
the two elements involved in summation. In other words, summation of two elements is 
equivalent to bitwise XORing of coordinates. The multiplication of two elements is equivalent 
to multiplication of two polynomials of degree n - 1 modulo /(a). 

Let A = (oo,... ,an-i), B = {bo,... ,6n-i) and C = (<?o, • • ■ , c„-i) be their product. 
The following algorithm, which is suitable for both hardware and software implementations, 
can be used for computation of C. Here / = (/o, • • • , /«) denotes the coefficients of modulo 
polynomial. 

Procedure GF2PROD(A,B) 

1. Begin. 

2. Set G= (0,...,0). 

3. for i = 0 to n — 1 

(a) begin 

(b) if (6n-i-i = 1) thm 

if (c„ = 1) then G = G © / e A. 

else G = G © A. 

else if (c„ = 1) G = G © /. 
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(c) Give a right shift to liits of C. 

(d) end. 

4. End. 

In software implementation, if elements of GjF( 2“) are represented by an array of binary word 
of X bits, then this algorithms computes product in j Ax) operations. The hardware 

circuit for above algorithm will require n clock cycles and the complexity of the circuit will 
depend upon number of non-zero coellicicnts in modulo polynomial f{x). We will present the 
algorithm for the computation of inverse later. For computation of square roots in (?F(2") 
please see [McE87, Cha95]. 

Any element of GF(2”) can be considered as being jz-tuples which constitutes an n- 
dimensional vector space over GF{2). If /3^’, . . . , *) is a basis for this space, then 

we call it a normal basis and /? the normal basis generator.lt can easily be shown that squaring 
of an element under normal basis representation is equivalent to one right cyclic shift of cor- 
responding binary n-tuples. Hence if A = (oq, Oi, . . . , a„_i) then = (a„_i, Oq, . . . , a„_2). 
The addition is same as that for standard basis. The multiplication of two elements can be 
achieved by a logic function. Let C = AB and logic function g gives the Ck from A and B. 
Then 

Ck = g{(io, at, . . . , a„_i; 60, hi,... , /;„_i ) 

Since 

C (Cn— 1 , Co, Cl , . . . ,071—2) 

= A^B^ 

~ (®n— li^O)--- 1 ^n-2) (^n-1 7 • • • 1 ^n— 2) 

We get 

Cfc-i = (7(a„_i, tto, . . . , a„_2; h,i^\, ho, . . . , hn- 2 ) 

Hence, we see that structure of the logic function reqiiired to compute any particular tuple 
of C is same. By giving cyclic shifts to vectors A and B, we can compute diflferent bits of C. 

It was proved in [MOVW89] that the logic functions g requires at least 2n — 1 logic gates. 
The normal basis which satisfies this bound is called optimal normal basis, ONB in short. 
Hence, with this representation, squaring can be done in one clock cycle and moreover, the 
complexity of the multiplier circuit will be minimum {MOVW89, GV95, ABV89, Men93a]. 
Obviously, the product will be obtained in n clock cycles. The ONB is very useful from 
the point of view of hardware implementation. See [Fen89, WTS"*'85, AM0V91] for various 
VLSI designs. 
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We will discuss the existence and construction of optimal normal basis in next section. 
Now, we give the method for the computation of inverse [Men93b]. Let 7 eGF(2"), then 


Now, if n is odd then 

If n is even then 

_ ^^^2(2("-2)/2-1)(2('-2)/2 + I)+1 

In both the case, computations of the type 72"’“’ is reciuircd. This term is computed by 
recursively applying this algorithm. [Fen89] discusses a VLSI design for inverse computation 
for small n. The complexity of the circuit for this algorithm is very high for large value of n. 
For large value of n, we give a variation of it which requires more number of multiplications 
but easy to implement in hardware. Let n — 1 = gh, then 

fl-i /i-i 

. 2 ^-^ - 1 = 2 ’'‘ - 1 = 2 ’)(^ 2 ^ 5 ) 

2=0 j—0 

Hence 

^-1 ^ ^ 2^-2 ^ (^2)(E®:o 29{Ejto 2^'") 


We can see that this algorithm can easily be implemented in hardware as it does not require 
recursive operation. It takes g + h — 2 multiplications. We ignore the squarings as they 
require just one clock cycle. This method will reejuire minimum number of multiplications 
if the difference of g and h is as small as possible. 

From the above discussion, it is obvious that optimal normal basis representation makes 
GF(2”) attractive for hardware im{)lementation. In (,!ie m^xt section, we explain the selection 
criteria for working field and curve for an efficient and secure cryptosystem. 


6.7 Selection of Field and Curve for Smart Cards 

So far we discussed the efficient techniques to carry out the computations in an elliptic 
curve public key algorithm for hardware and software implementation. In this section, we 
concentrate on selection of the field and curve for smart card application. Our major concern 
will be to minimize the storage for a smart card employing elliptic curve public key algorithm. 
We will also see if selection of field and curve can reduce the total computations involved. 

We first concentrate on storage recjuireinents [Miy92] whic;h is very important in hardware 
implementation. Let the selected field be such that binary representation of its element 
require n bits. An elliptic curve based smart card requires following information to be stored 
in the memory. 
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• working field parameter (for GF{p) only)[??, hits], 

• curve coefficient a, b (and c for supersingular curves over GF(2"))[2n bits]. 

• secret key [n bits]. 

• base point [2n bit]. 

• public key of self and system [4n bits]. 

• size (number of the bits) in the order of the curve. 

• PIN and card identification nunil)er. 

Let us first concentrate on elliptic curve over ^^(2”). As discussed in the previous 
section that optimal normal basis are very attractive for hardware implementation of GF{2^) 
arithmetic as the squaring and addition can be performed in clock cycle and multiplier has 
the minimal complexity. Unfortunately, the ONB docs not exist in every extension of GF(2). 
We will discuss its existence later in this section. But if the ONB exists in GF{2^) then it 
will be unique and corresponding multiplier will also be unique irrespective of the modulo 
polynomial used for defining the field GF(2”). Once we know the ONB representation of 
any clement of GF(2") then the modulo polynomial will not l)e reciuircd. Hence, there is no 
need to store the modulo polynomial in the memory of smart card. 

If a non-supersingular elliptic curve is selected then addition formulae require only co- 
efficient a. Hence only coefficient a needs to be stored. As we discussed in Chapter 4 the 
coefficient a is zero if the order of the curve is congruent to 0 modulo 4. Hence in such 
a case the storage can be reduced further. The addition of two points on supersingular 
curves requires a and b. The size of the secret key will approximately be same as that of 
field. The base point requires storage of two GF(2”) elements. The two public keys require 
storage of 4 elements of GF(2”). It may not always be necc.ssary to store the public keys in 
the smart card if all the keys can be stored in a common data base which contains all the 
public keys with certification [Sta95]. The storage rociuirement for the size of the order is 
insignificant. Similarly PIN and card’s identity Tunnber are always recpiircd. Hence we see 
that an elliptic curve based smart card requires 8n bit or 9n bit of storage as the the curve 
is non-supersingular or supersingular. If the non-supersingular curves are so selected that 
coefficient a is zero then 7n bits needs to be ston’d. Now we discuss the existence of ONB 
in any extension GF(2") of GF{2). The following two theorems tell us about the existence 
of ONB in GF(2”). 

Theorem 6.1 Ifn-\- 1 is prime and 2 is primitive element of GF{n + l), the {n + l)th roots 
of unity in GF{2'^) form the optimal 7iormal basis. 


87 



Theorem 6.2 If 2n + 1 is prime and either 

1. 2 is primitive in GF{2n + 1), or 

2. 2n + 1 = 3 mod 4 and 2 generates the quadra, tic residues in GF{2n + 1) 

then for {27i + l)th root of unity ^ in GF(22"), j = j3 + j3~' will be the optimal normal basis 
generator. 

Now, the selected field GF{2^) should be such that n satisfy any of the conditions given in 
these two theorems. If the condition of the Theorem 6.1 are met then n+ 1 will divide 2" - 1. 
If a is the primitive element of GF(2”) then “')/(«+•) })p optimal normal basis 

generator. If the second condition of Theorem 6.2 is satisfied then 2" — 1 will be divisible 
by 2n + 1 and will be the element /3 in the Theorem 6.2. The ONB generator 

7 can be compute using the relation given in Theorem 6.2. Now it remains to explain the 
first part of Theorem 6.2. In this case the construction of ONB generator is very difficult 
for known GF(2") because this problem is cfjuivalent to embedding of GF(2”) in GF(2^'*) 
which is very difficult for large field. Hence, this case will be impractical for the cases of 
curve construction algorithm in which modulo polynomial is obtained from the algorithm. 
For the cases given in Theorem 6.2, it is possible to obtain the minimal polynomial of the 
optimal normal basis generator [Men93a] using Fibonacci recursive sequence. 

Let fa{x) — 1 and fi{x) = a; + 1. Then fn{x) generated by the following sequence will the 
minimal polynomial for ONB generator in GF(2’‘). 

ft{x) = xft-i{x) + /f-2(x) t > 2 

Now, if we select n such that it satisfies iirst part (for second part also) of Theorem 6.2 and 
it is composite then, a curve can be constructed over a fiekl which is subfield of GF(2"). 
Hence in such a case, polynomial of smaller degree will have to be factored in GF(2"), and 
GF(2”) is defined by minimal polynomial of ONB. For the architecture of the multiplier 
circuit, please see [GV95, AMOV91, Cha95]. 

The squaring and addition in GF(2") are equivalent to one cyclic left shift and XORing 
respectively, and hence can be easily be implemented in hardware. The inverse of any 
element can be computed using repeated scpiaring and multiplication as discussed in the 
previous section. Hence the inverse computation circuit will require a multiplier and squarer 
(shifter). By proper interconnections between multiplier and squarer circuits and controlling 
the number of squarings and multiplication through software;, inverse computation can be 
done efficiently. 

Therefore, the coprocessor to be used in the smart card will consists of modules for 
multiplier, adder and shifter. Another important issue is data transfer overhead. Since the 
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present microcontrollers contains 8-bit long data bus, the fields elements can be transferred 
to coprocessor in 8-bit blocks only. If the working field is GF(2^^®), then it will take at 
least 2 * 128/8 = 32 clock cycles to transfer the two elements involved in multiplication 
and, moreover, 16 cycles will be required to get the multiplier output from the coprocessor. 
To avoid the data transfer overhead, a register bank can I>e built in the coprocessor which 
will contain the intermediate results. It woidd be desirable if coordinates of point V in 
computation of kV are transferred to coprocessor in the beginning, and rest of the operation 
are controlled by main processors through some control signals. While the register bank in 
coprocessor will store all the intermediate results. Since the size of the elements involved 
is quite small as compared to those involved in R.SA coproc.essors, the complexity of the 
coprocessor circuit will be significantly less. Hence, the making of register bank in the 
coprocessor should not be difficult. 

If the working field is GF{p) then the storage requirements can be reduced if x coordi- 
nate of the base point is zero. This will also reduce the computation requirements. If the 
X coordinate of the base point is not zero then both the coordinates need not be stored. If 
X coordinate along with least significant bit of y coordinate is stored then y coordinate can 
be computed from the elliptic curve equation. Same also holds for public key. Hence, under 
such conditions the storage requirements will be 7b + 2. Since for a secure cryptosystem 
prime p will be of approximately 130 bits, the total storage required will be 782 bits. As we 
discussed earlier that modulo multiplication can be computed at the cost of two simple mul- 
tiple precision multiplications using Montgomery’s sclieme. Hence if 32-bit microcontroller 
is used in smart cards then modulo multiplication in a prime field of 130 bit long order 
will require 2(130/32)^ -I- (130/32) « 36 32-bit products. If the microcontroller can perform 
32-bit multiplication in one clock cycle then one modulo multiplication can be performed 
quite efficiently. This avoids the need of the coprocessor. 

In this section, we discussed issues related to smart card design. In the next section we 
compare the elliptic curve based smart cards with RSA based smart cards. 


6.8 Comparison with RSA 

As we discussed in the previous section, the elliptic curve based smart card needs 8n or 9n 
bit of storage if non-supersingular or non-supersingular elliptic curves over (?F(2”) are used. 
If n is 130 then storage requirements is roughly IK bits or I.IK bits. Similarly, for curve 
over GF{p) the storage reciuircment is approximately 912 bits if the field prime is 130 bit 
long. Now we make an estimate of the storage re(iuirement of RSA based smart cards for 
the sake of comparison. 

As we discussed in Chapter 1, RSA cryptosystem requires at least 512 bit modulus. In 
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case of RSA, only storage requirements are two modulo integer and public key pairs and one 
secret key. Since each of these is 512 bit long, the total storage requirement is approximately 
2560 bits which is more than double of what is required for an elliptic curve based smart 
cards. Similarly, for the cryptosystem based on DLP in finite field, the n will be at least 
700 and hence the total storage requirement 4200 bits. Hence wo can see that elliptic curve 
cryptosystem require less memory in comparison to other public key cryptosystems. 

The complexity of the coprocessor for RSA algorithm is far more than that required 
for an elliptic curve based algorithms. The security aspects were discussed in Chapter 3. 
Now, we make an estimate of the expected througliput. For information about the speed of 
RSA (and other) based cryptosystems, please see [DV.I96, DJ91, VVDJ99, OSA99, FOM99, 
Sim91, dWQ99]. 

The major computation in an elliptic curve public key algorithm is the computation of 
multiple of a point. In case of elliptic curves over GF{p) addition and doubling of points 
require 15 and 13 modulo multiplications respec.tively. If k is x bit long and has Hamming 
weight y (number of I’s and — I’s), then total number of multiplications required will be 
15a; + 13?/. Since for a cryptosystem to be secure, the ord(’.r of the curve (and hence value of 
p as well) should be 130 bit long; the typical value of .a; and y will be 130 and 130/3. Hence 
total number of 130 bit modulo multiplications reciuired will be approximately 2300. An 
equivalent cryptosystem with 512 bit long modulo integer requires 750 modulo multiplication 
of 512 bit long integers. If integers are represented in an array of 32-bit long words then each 
512 bit long integer will requires 16 such words, whereas 130 bit long integer will require only 
4 such words. Obviously, if coprocessor em])loys a 32-bit inultiplitu' then computation of kV 
will require approximately 2300 * 16 = 36800, 32-bit multiplications and RSA will require 
750 * 16^ = 192000, 32-bit multiplications. These estimates clearly depict the superiority of 
elliptic curve cryptosystems. 

Similarly, the computation of kV for non-supersingular elliptic curves over GF(2”) will 
require 7x -t- 13y multiplication because addition and doubling of points requires 13 and 7 
multiplications respectively. Since each multiplication retiuires n bits, the expected number 
of clock cycles in computation of kV will be IZnx + lny. If x and y are are 130 and 130/3 re- 
spectively then the number of clock cycles rcciuircd in computation of kV will approximately 
be 202800, which ensures high throughput rate in comparison to existing RSA cryptosystems 
and other public key cryptosystems. The supersingular curves gives much higher throughput 
as number of multiplications in addition and doubling arc 10 and 3 respectively. 

Hence we see that elliptic curves are a suitable candidate for smart card applications. 
With the pa(;o of the progress in computational tec.lmology, il, is assumed that RSA with 512 
modulo integer will face a serious security threats in near future. The RSA cryptosystems 
with larger modulo integers are also being realized. In such a scenario, the elliptic curve 
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cryptosystems will definitely be a better alternative for R,SA cryptosystems. 
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Chapter 7 

Implementation Results 


Based on the theory discussed so far, we have developed a software package for elliptic curve 
public key cryptography which includes the programs for construction of elliptic curves 
and public key algorithms for cryptographic operations, i.e. encryption, decryption and 
signature generation. In this chapter we discuss various examples to cover all the cases 
mentioned in curve construction algorithms. In the first section, we give brief description of 
the implementations done. 


7.1 Software Implementation 

In this thesis our major concern is with the construction of elliptic curve over GF(2”) and 
GF{p) which are suitable for cryptography. We also discussed various issues related to 
efficient implementation of cryptosystems. The thesis also iiu^ludes software implementaion 
of elliptic curve public algorithm over GF{2") and CF{p). As the implementation of the 
elliptic curve public key cryptosystem require arithmetic in GF{p) and GT’(2"), various 
efficient routines have been developed to perform arithmetic of multiple precision integers 
and GF{2”'). For the curve construction, we used a package called SIMATH which contains 
numerous routines to perform arithmetic in number fields and finite fields. Here we give 
a listing of the software implementation done. All the program have been developed in 
C-language and tested on Pentium-lOOMHz machine. 

• Routines for multiprecision arithmetic : Several routines have been developed to carry 
out the modulo arithmetic for very large integers. The routine include integer multipli- 
cation, division, exponentiation, Montgomery modular multiplications and exponenti- 
ation, trial division modular arithmetic, ged computation, inverse and modulo square 
root computation etc. Apart from these, routines for finding binary quadratic forms 
and class number for negative discriminants have also been developed. 
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• Routine for GF{T^) arithmetic : Various routines have been developed for G-F(2”) 
arithmetic. Few of these are as follows. Product in standard basis representation, 
addition, inverse computation, square root computation, inversion of binary matrix for 
transforming the basis of representation. 

• Curve construction programs : The algorithms discussed in Chapter 4 for construction 
of non-supersingular elliptic curves over GF{p) and GF{T) have been implemented on 
SIMATH, a package for algebraic computations. A program has also been developed 
for constructing supersingular curves over GF(2"'). We will discuss the implementation 
results in this chapter later. 

• Implementation of Cryptosystem : Various programs have been written to implement 
ElGamal’s algorithm based cryptosystem over GF(2”) and GF{p) using the con- 
structed curves. The programs include the subroutines for finding random point on a 
curve, addition of two points, multiple of a point, generation of base point. 

In the next section we discuss various examples of curve construction over GF{p). 

7.2 Construction of Non-Supersingular Elliptic Curves 
over GF(p) 

In this section we give several examples to illustrate the performance of curve construction 
algorithm over GF{p). As discussed in Chai)ter 4 we make use of a dictionary of negative 
discriminants and corresponding class numbers for search of discriminants. The dictionary 
that we used contained all the discriminants lying between -3 and -1000000. The size of the 
corresponding file is 11MB. 

Example 7.1 
Inputs 

• Number of digits in prime factor of order n = 75, 

• Lower bound on MOV extension attack J5 = 30. 

• Upper bound on small factor C = 100. 

Outputs 

• The prime of GF{p) = 

p = 1411360078049791070889465425102796802898920229823853196 
185957269136930058573. 
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• The coefficients of the (xjnstrueted elliptic curve (Xjuation y'^ = + ax + b are 

a = 1668144664189716453043899422924027019479828102596649 

27054121250247129053404, 

b = 65639156202472270385071963704924258146936339227732821 

892251773106032686587. 

• The order of the curve i^E{GF{p)) = c* q 

= 1411360078049791070889465425102796802952545580226856381 

684599803843424645046 

= 2 * 7056800390248955354447327125513984014762727901134281 

90842299931921712322523. 

Here, the prime factor q is such that {q - l)/2 has no factor less than 30. 

• j-invariant of the curve is 

325360479775135323109411693445259344259504868761908532125 

322583404654934737. 

Now we give the intcnnediate results. As discussed in Chapter 4, the construction algorithm 
begins with determination of a prime factor q of the order of the curve such that {q — l)/2 
has no factor less than 30. The determination of prime factor took 66 seconds. After this 
a negative discriminant is searched such that second norm equation has a solution and first 
norm equation gives the field prime p. In this example, the discriminant -43828 gives the 
proper solutions. The search of the discriminant took 607 seconds. The class number of this 
discriminant is 30, hence the degree of the class equation will be 30. For this discriminant 
all the primitive binary quadratic forms are computed using algorithm pbqf_cln(<i). This 
discriminant satisfies the conditions for U 2 class invariant. The precision required (Prec'(d)) 
for the computation of class cciuation is 225 decimal digits. With this precision, the following 
class equation is obtained. 

f{x) = x^^ + 5097567939916867423154621490541124724595294338195964 
06039860251390317777285a;29 + 7488482705107055822395530031325590094 
59742463725130495763444660947952640296.T28 + 1066204495441967637652 
121654372124919535102103081959616768345969666506796378.1:27 + 201279 
4153416088304464236198373788800277071338592478526453515942345519160 
07x26 + 1056985106126799704462797522323302612631138548660689832926 
754343129020593533x26 + 120455942656617505724053307828126605865658 
184728309000134968691960065571 7024.x2‘^ + 42260237064575585835830832 
1025652088942057138217178645189735043417290504887 .t2'‘ + 49004580037 
1081081921527444985244229157949766737162938413510153585260368163 
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+ 59311154G11671(M05712r)2035C21274588G5'l.'352957G8r){)()298:}l'15955G 
894698741959159 .t^^ + 552978545098975760094452345821593706795923867 
37443637()5388839291058G940J49.'r2‘^ + 1064158542685122375619G05118834 
28810968346538936550038828910170077066333714x^^ + 1127248956077789 
187469477G87692276527511859593175827462524292702260020750471x'® + 
9562742079084845932301569220625901000340704815487143055053758344463 
57960220x^^ + 647299836309884765257304G293127639990888719295051436 
86190907108530879535757x^® + 4171736428230976089807795585111303701 
00871333945570107296814946307864282304x^^ + 5586956303990728803667 
14212353618958176713158518600471175493593543928121240x‘'* + 1232296 
5440399762817098583116662221887346069456074723217653840052766874011 
46x^^ + 7448720505405077786880321869531075394269224799382] 13168457 
20810509861720202x’2 + 1189630737447636986578645821003099165318768 
176324464454986042243194605355163x11 + 389768674469651138907543402 
192150708261855912124755997265175120400792805397x1° + 315724086776 
1 1 16878060742025288359769388799356926467816677705 1 5244968026858x° 

+ 735075069441568501229776169126030112618610878553700531232607392641 
781982464X® + 7493475302331353716995107227493056934293318868349358 
86953385574423900468013x^ + 68779135254907712973835577483890120977 
334006100797682116030349150954526034x° + 5523456496215614619420668 
16326303175242704858360593780547630290337970792927x5 + 32728294348 
2779770755886436793755887379591738524225904433()74649473898131689 
x'’ + 2885723321529294984915010167230955376780983360304935613667655 
34822813080223x5 + 13805378472020074325685345836422878664509262675 
26240227289640403184044246643x2 + 10444229088575537338638122626967 
58819105343506247321326076390688443215023686X + 99752323302960472738 
6407662334625971534790413224756006595802385313234309779. 

This polynomial gets factored completely over GF{p). Its factorization was completed 
411 seconds. Its roots are as given btelow. 

1001311506487213497138135897874527865659108669688921781723329720726996964646, 

1290822594519257953264628714810706396558549940673684379299443418731586939883, 

395560474008583633581496440850299946860033263510016352655827823931269269055, 

1301078127664482989500092461779593223043932073597772003834631660975630256378, 

1223798172151249602364493979381495943106050305499489193781527508298422199531, 

137180672966713148776865585706143354335086428347343906437406248101527057132, 

93921969331828384923210586240712177491318851104012393971595469804573683501, 



864361627070546886432544056064431147027687722088729397933298019985842892867, 

1325580046459594779999992828021651072073480987615752801206611682324721688745, 

627485759157521131181180268612292451415039950199039876717991871655369234595, 

1409523963301304809179250034986690143699663205452692112450050229892039763497, 

234112463379586053895895242166562764980776850362213977390185851329796268926, 

804713011732474168926087448644893581301654914742726171532057916288748843660, 

834590790615413791160461537753220638142740074983333911970263619394452748993, 

1067905646410286412470210270952400013242409323470274335500190038158742643887, 

1207112251898638109380757435710186214690772078573412477410423121513882182573, 

58329523222450492302976040189511082951558466889733195907257687153093123814, 

1052440419825829121129092040714090007438133393903956507201610454937233037207, 

636447957259301909102122964884878639268563052607546523530009492899486849993, 

266009492722703278074592470208586208103800283120985022758863859823463200755, 

748431213156394204472205952458486738561273075611032970554609036175771014956, 

830516616314131149485501323599379400960138215031179402072342523726762799907, 

1171207274276328485844220580709307270440787392720664988548822280797039277170, 

795390803084964588190070257793077686488051246170185170727014390844626569077, 

651961508554097131078641704531846950505328455150483449621109533875298422092, 

478724668791374439539328296722675661889000027437580935082165233162737194021, 

922411493727234339119707490899853495089014267653322088100000002652890839227, 

814518762954712181668036002251071204838099412534425550259079119473616503789, 

449121087500497080918183294852895220577458320383528977550070064352094537635, 

788788034304047049699402202321905956081403023989201407326365442949777210944. 

Tlie above given j-invariaiit is 3rd power of first root of this polynomial in GF{p). The 
other j-invariants can be computed in a similar way. The coefficients of the elliptic curve 
equation are obtained from j-invariant. For a given j-invariant over GF{p) there are more 
than one isomorphism classes (2 for discriminants less than —4). To find the correct co- 
efficients, a point V of high order is determined (randomly). If ^E{GF{p))V is point at 
infinity then the coefficients will be correct, otherwise correct coefficient are obtained as 
given in Chapter 4. 


Example 7.2 
Inputs 

• Number of digits in prime factor of order n = 40, 

• Lower bound on MOV extension attack B = 1000. 

• Upper bound on small factor C = 100. 
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Outputs 

• The prime p for GF{p) = 4774829579066132071895786080052961398393 

• The coefficients of the constructed elliptic curve ecjufition T ax b sre 

a = 1372526379009288236731552596726744306914, 
b = 4311006843399719285356700402041443244052. 

• The order of the curve i^E{GF{p)) (= c * q) 

#E{GF{p)) = 4774829579066132071770983775873106308886 

=2* 2387414789533066035885491887936553154443. 

Here, the prime factor q is such that {q-l)/2 has no factor less than 1000. 

• j-invariant of the curve is 2943414941208503730054448587155247829400. 

In this case, the i)rime factor is computed in 6 seconds. The discriminant is -12148. 
The class number of this discriminant is 18 and it was searched in 65 seconds. The precision 
Pred{d) is 126 digits. The class equation is as given below. 


f{x) = + 130288020398082392126777246243156073454.^*^ 

+ 189271736638456507555336760387413568327a:’® 

+ 4598335993022236064443521635049958570867a:*® 

+ 804181187043524942426691387677747021236a;’^ 

+ 2286339919759732434612238270242571348994;r’® 

+ 24729719984697717339126624504765201217843;’2 
+ 4660208499544560604711381108091843465761a;” 

+ 207283677800602801684548483862665323459a:*® 

+ 2198166764697586211092711162358331002320.T;® 

+ 1935293766209083448011131615899379202274X® 

+ 2485514946763714030l4147766259900772388a;^ 

+ 9979039786059407605467363452 19999768077.T® 

+ 2227029426038737834706392062635371420706a:® 

+ 1680662199433235896909738885363304973562.'r'’ 

+ 1691266351214072805727366159044218242143a:® 

+ 989739123195704070033895542374653960497.t 2 
+ 3076142359220327220570767935651442319313a; 

+ 3565263033952084360332668426196298629374. 
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This polynomial was facionnl in Cl<'{p) in ^15 socomls. 


lis root.s arc as given below. 


4104281905613787582545743571102480968097, 

817543705252880535785352130322532353742, 

584133835230887322821018022364502230168, 

1909300107287935734113988177003328400799, 

3758140952726880990004987447984483169604, 

1081041433023135677390838979016901323580, 

138970667253449402508528635188873500849, 

882749346445226568197867092873073113471, 

367040326797241326264800043255143905570, 

3714835680188742222260586157504292135877, 

3200216729371760257872484495181182114886, 

50837485777940938236418993007966569004, 

1376039423600048471285410776800325752376, 

2809376619383218545356815369193449782315, 

4191700876075933511514512486165562511777, 

2524871912809054146898819914390404429166, 

1657568929013073562081068785472478364211, 

64863037213639315944477630579933029805. 


The j-invariaiit, given above, is obtained from the first root. The curve equation is computed 
in the similar way as discuss (!arli(n’. In this case, the d(!gr(!e of class equation is 18. In fact, 
the degree is not related to the size of the order as wo illustrate in the next example that for 
the same size of the order, degree of class equation can be small. The degree of class equation 
(or equivalently class number of discriminant) depends upon particular prime factor but not 
on the size of the prime factor. It may happen that a large prime splits in an order of a 
quadratic imaginary field with small class number. 


Example 7.3 
Inputs 

• Number of digits in prime factor of order n = 40, 

• Lower bound on MOV extension attack B = 100. 

• Upper bound on small factor C = 100. 

Outputs 

. The prime p for GF{p) = 8015837462513429142529030965157683643913. 
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• The coefficients of the constructed elliptic curve equation ax + b are 


a = 1047167977998496891286483084544213484856 
b = 3370057806170140975034001044748703537875. 

• The order of the curve #E{GF{p)) {= c*q) 

#E(GF{p)) = 8015837462513429142417025044017731920838 

= 2 * 4007918731256714571208512522008865960419 
Here, the prime factor q is such that {q - l)/2 has no factor less than 1000. 

• j-invariant of the curve is 1630781539639094736437466886175741433795. 

In this case, prime factor is generated in 30 seconds. The corresponding discriminants and 
class number are —436 and 6 respectively. The discriminant was found in 10 seconds only. 
Since the class number and discriminant both are small, the precision is 36 digits which is 
very less as compared to that in Example 7.2. In this case as well, U 2 class invariant is used 
for constructing class equation. The class equation is as follows. 

f{x) = a:® + 8015837462513429142529036965154547973245X® 

+ 8015837462513429142529036789128783870953a:'‘ 

+ 8015837462513429142529012533857418477641a;3 
+ 8015837462513429142527667172892944864265x2 
+ 8015837462513429142514162788937106553353X 
+ 8015837462513429142380012710590420243977. 

Since the degree of this polynomial is very small, it was factored in 3 seconds. Its roots are 
as follows. 

7286814961972788186534280046998330798922, 

7890128848175143322297195485860810878513, 

1195139391907159325391665125852732895966, 

6559090970454168757666561877425208920778, 

1885914090025397243801160530424927395772, 

7246261587519059734425284794071859356309. 

For each of these roots j-invariants can be computed. Here we have constructed curve 
for first root only. In the next example, the small factor of the order is taken different from 
2 . 

Example 7.4 
Inputs 
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• Number of digits in prime factor of order n = GO, 

• Lower bound on MOV extension attack B = 100. 

• Upper bound on small factor C = 100. 

Outputs 

• The prime of GF(p) = 

p = 4214817915758928417712424430843769565118827877401256184777279. 

• The coefficients of the constructed elliptic curve equation y'^ = + ax + b are 

a = 1950860025879085130495356808736086779801004081010884983329023, 
b = 1545345580652087448540156684100890947733124944678466939561851. 

• The order of the curve ii^E{GF{p)) =c '*q = 421481791575892841771242 
4430839738401055715385485419780944195 = 5 * 84296358315178568354248488 
6167947680211143077097083956188839. Hero, tlic prime factor q is such that (g- l)/2 
has no factor less than 100. 

• j-invariant of the curve is 

604356003674505679413297494661885231336644307914555911861276. 

In this case, the prime factor is generated in 27 seconds. The discriminant is —5531 and it 
was found in 223 seconds. The class number is 23. Since discriminant is coprime to 6, except 
Yui-Zagier’s class invariant all other class invariants can be used. If Uq class invariant is used 
then required precision Prec{d) is approximately 330. The precision Prec'{d) for U 2 will be 
one third (=110) of it. Whereas for tii it is approximately 220 (Frec(d) + 23 log ld|)/2 = 
(330 + 85) /2 = 208). Hence, obviously the best choice is 11 . 2 . The class equation for all class 
invariants will be different but its degree and corresponding j-invariants in GF{p) will be 
same. 

S{x) = + 6655873390017850995853566307437920x22 

+ 1918123355487829358579321015299321249712964608;r2i 
+ 235491464538008756454558371268833649920033789276874047488.x2® 

+ 3372428080718943702982478587533878827754226729428336373468530x^^ 

+ 38630275485414647440363953108129105982041G6088512786073816487X*® 

+ 901634324943120961314912364267420716399259139195940767687947x‘^ 

+ 3634698650473499206986084887667725873269265669299247546678968x^® 

+ 221919329743805410672469684422630801470571848889532313946255x*5 
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+ 19539127053703064604559379G418408513102147()lC5317446279284658a:^'* 

+ 4512184742443015563364748415130602302018520177870035253069122;^3 

+ 3378468679266962802340292742008280596563767538414072764600494a:^^ 

+ 2533845995497319609213396073587446263415454438514816813835499a;" 

+ 192998172256375730479161738738234434866189576209283895273267a:i° 

+ 1006078603516606779532285555012325689513124391887843436546302rr^ 

+ 8715131982662263122479G5012038681228129254879352860006251146a;® 

+ 2794863912924592075803786056416702003131756951697260181549619a;'^ 

+ 1784276261032473495489554887684970579882113284460329539790632a:® 

+ 2629950970414492889459662949105923278499600544763945087457261a;5 
+ 2537357230042452893194268528l97327881G8207G2K)r)03207434403210a:^ 

+ 3830416484709204951279202244020234073938289212501522633929421a:® 

+ 3593770186773619794408194536074341594313367738592479920335299a:2 
+ 674740671193324779896959455989408328313521893430774152954296a: 

+ 23392023804117332G1018730981569220920798251013890462785928448. 

This polynomial gets factored in 176 seconds. Following arc the roots of this polynomial 
over GF{p). 

606033415293127318353694856837407269787371382693595706446922, 

658849171948522191861119920703334587712336235458216942415348, 

185968455902978123717805434740526939274680149701 1 107585623522, 

3156635298303764154542206332332972603479564215644791178512989, 

3195758893499774306678774126576831301379084661194745304762290, 

1754225516161022041876899422446052726870069029651999115347676, 

1990360799559734819270649647437693503152382360857622106424477, 

665172357341403907516030883300773854659245394560519765231953, 

1640233148287711133871345073958464087616031865142817754338780, 

1969515222965588681653044958231129750769330570752036418341025, 

3078957554274118261022965699930503501764176567967211155545546, 

1615034112890287053071986686308479863280696629319138341950355, 

3556198914119246230268016537248519314127875863285287574939537, 

4182665573120655447107803228523643659325537908969778041769488, 

2233169275286833537161192379327336474208490851246428316516787, 

2240222249379520699839530269530714627023967740451073000620624, 

1974022580570590323896066624971728387830840379619501552518492, 

1464986046703758804205036 1 569269 160757321663868995 1 19 1845003, 

1196014957105586012740663982983532991685766459966412840110876, 
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The roots of this polynoiiiial are ol)t;uued in 10 seconds. 
6051863879432688419248420100977, 6579985718841133379332775655565, 
2886922493120117454221349804148, 1759487779187883637437272541328, 
2139058412833353025833987927004, 3060604254344526257505630884247, 
3098531395973994469673862292350, 6547468666645379410471345973372, 
3527525783407581401421894354405, 3336354316001873585605073430803, 
1616052847383592576342888831681, 2623343798810003735831035053746. 

Let us summarize the above results. 


Parameters 

Example 7.1 

Example 7.2 

Example 7.3 

Example 7.4 

Example 7.5 

d 

-43828 

-12148 

-436 

-5531 

-3880 

h 

30 

18 

6 

23 

12 

log 9 

75 

40 

40 

60 

30 

B 

30 

1000 

100 

100 

120 

c 

2 

2 

2 

5 

20 

Prec'{d) 

225 

126 

30 

110 

81 

tp 

66 s 

65 

30s 

27s 

46s 

ts 

607s 

65s 

10 s 

223s 

33s 

tr 

411s 

45s 

3s 

176s 

10 s 


Table 7.1: Results of Examples 


Here, tp, tg and denotes the time taken in prime factor generation, search of discriminant 
and factorization of class equation. It is clear from this table that the discriminants with 
smaller class number are good from the point of view of computations. The maximum time 
taken in curve construction is 1084 seconds. But in this case, the order of the curve is 
also very large. Hence we see that non-supersingular elliptic curve can be constructed with 
predefined order quite efficiently. 

Now, we discuss the i)articular case in which the order of the non-supersingular elliptic 
curve E{GF{p)) is p [Miy92]. As explained in Chapter 3, MOV attack will not be applicable 
over such curve. For this type of curves, the discriminant for which the two norm equations 
will have solution, will be square free part of 1 -4p. Now, instead of specifying p, we pick up a 
discriminant d such that it has small class number and check for a random integer x whether 
(1 - dx ^) /4 is a prime or not. Here integer x is of the order of the square root of prime p (to 
be constructed). If (1 - dx^)/4 is a prime then assign this to prime p otherwise repeat the 
process for some other value of x. Obviously, success in this case will mean that two norm 
equations with Q ~ p and ^E{GF{p)) — p will have a solution for discriminant d. Since 
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the discriminant is selected such that the corresponding class number is small, rest of the 
process will be simple. In our implementations we have found that finding such discriminant 
and prime is not difficult. In [Miy92], Miyaji discusses this idea for class number 1 only. He 
presented numerical results without much explanation. Here we will see that this concept 
fits well into the theoretical framework that we have developed. There is no need to restrict 
to the discriminant of class number 1, rather the argument holds for any class number. Of 
course, for small class numbers the computational complexity will be less as the degree of 
class o(iuation will bo small. 

Example 7.6 

Let d = — 11 and field prime p be a 30 digit number. Hence we find a 15 digit number 
randomly and assign it to .t. If (1 — dx^)l4 is a prime then it is assigned to p otherwise 
process is repeated. An appropriate x was found in 0.43 seconds. 

X = 274058689132959 and p = 206547453995508613567745263123. 

Since the class number of —11 is 1, class e(}uation will be a polynomial of degree 1. f{x) = 
X + 32. Its root modulo p is 206547453995508613507745263091 and the j-invariant is 
206547453995508613567745230355. The equation of the curve is 
y^ = x^ + 54524131361428090652048624025a: + 47827947528849256669031045135. 

The whole process took just 2 seconds for constructing the curve. 

Example 7.7 

Similarly, for d = — 19 and p a 00 digit prime, the prime p was obtained in 30 seconds. Here 
most of time was consumed in primality testing of p. 

X = 247138054970145802346623597745 

p = 290116786518527339508643969064368625906962509595015953153869. 

The class equation is f{x) = .x + 96. Its root and .j-invariant are 
290116786518527339508643909064308625900902509595015953153773 and 
29011078C518527339508043909004368025906902509595015952209133 respectively. 

The equation of elliptic curve is 

?/2 = + 251095230437087989750171388429979863358072867251826C72905100X 

+ 167396820291391993166780925619986575572048578167884448603400. 

This curve was constructed in 61 seconds. 

Example 7.8 

If d = -35 and p is 60 digit number then prime p is obtained in 43.07 seconds. 

X = 10283968502947609953878509 

p - 1348440104102035949468089600878242490915692133804283. 
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In this cas6 the class number is 2 and hence the degree of class equation is 2. 

f{x) =x^ + 1348440104162635949468089660878242490915692133273067a; 

+ 1348440104162635949468089660878242490915691930845499. 

The roots of this C(iuation are 

140529237726707083190362484250220775895258558330575 

1207910866435928866277727176628021715020433576004924. 

The j-invariant corresponding to the first root is 
653412959241662611529735763471743409428513736204282 
and the equation of elliptic curve is 

y^ = x^ + 1281684927066873923923399792973113337256441537586373a; 

+ 944882001814948178254781369595785445319858371971522. 

The program took 7 seconds to construct the curve. 

Example 7.9 

If d — —59 then its class number is 3. If p is 40 digit prime then 
X = 9395424373451778963 
p = 1302041487569463361021037060783787991693. 

The class equation is f{x) = + 3136x^ + 68608x + 720896 and its roots are 

1173008702346216304272655744874435180527, 

644932801902306252448131793310101094004, 

786141470890404165321286583383039705719. 

The j-invariant is 192053971435930911663294214845519377551 and elliptic curve equation 
is given as 

+ 120759639812892712925932367535312022275.?; 

+ 669081261874859325925872183267815439773. 

The precision used in the computation of class equation is 18 digits. 

In this section, we discussed various examples for algorithms developed in Chapter 4. 
The algorithms are quite efficient and generate the curves in a very short time. We also 
discussed Miyaji’s construction of curves with their order equal to field prime in the general 
perspective. In the next section, we consider various examples of non-supersingular elliptic 
curve construction over GF(2") for different cases given in Chapter 4 
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7.3 Construction of Non-supersingular Elliptic Curves 
over GF(2") 

In this section, we discuss the results of the algorithm developed for construction of non- 
supersingular elliptic curve over GF(2"). In [LZ94], the similar algorithm have been discussed 
but it was discussed for one particular case. Whereas we have generalized that algorithm 
to include several other cases which were (possibly) discarded in [LZ94] due to incorrect 
interpretation of an important result concerning the prime ideals in class group (see Chapter 4 
and Appendix C) . Here we will validate all the arguments given in Chapter 4 by illustrating 
examples for each case. 

Since for cryptographic applications, the size of the field has to be at least 10®°, the 
extension degree of GF(2") over GF{2) must be greater than 120. As we discussed earlier 
the extension degree is related to class number (equal in some cases), hence the class number 
for construction will be very high. This results in very high precision for construction of class 
equation. Hence to reduce the precision required, we will consider only Yui-Zagier’s class 
invariant uz as it reduces the precision by a factor of 48. Moreover, one of the two conditions^ 
on discriminant to use U3 is a necessary condition for 2 to split into prime ideals in quadratic 
imaginary fields. Now we consider each case separately using the same notations as given in 
Chapter 4. 

n is a composite number with h as a factor 

Here n = ht. In this case, discriminant is searched in class number k and g = 2" in the norm 
equations. Obviously, the class equation will a polynomial of degree h which may reduce 
in GF{2) if h is not prime. Let us first consider the case in which the class equation is 
irreducible in GF{2). 

Example 7.10 
Inputs 

• n = 144. 

• /i = 36. 

• H = 10. 

• C = 100. 

• The modulo polynomial is (144 10000000000000000000000000000000 

• d = 1 mod 8 
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00000000000000000000000000000000000000000000000000000000000000000000000 

000000000001110100101100010111110000111101)2. 

Outputs 

• The elliptic curve equation is -\-xy = x^ + ax? + 6, where 

a = (142 101110010100101001110110100111110011011101110100001010110 
11100100110010011011000100001000111110011100110101001011011011010 
111110001000010101100 ), 

h = (143 11100110001110010100110010100110100010001001100111000110 
01001011011110110010110111001000100010100011101011010100101111011 
11110000111010010100000 ). 

• The order of the curve 

= 22300745198530623141531545330628491015781586. 

= 98 * 227558624474802276954403523781923377712057. 

• j-invariant= 

Now, we discuss the intermediate stci)S in detail. The discriminant is searched in the file 
containing discriminants of class numbers 36. For d = —5063 the solution, satisfying all 
the conditions, is obtained. The integer 2 splits in two non-principal prime ideals p, p' in 
C>(— 5063) such that each ideal has order h. In other words, h is the minimum integer such 
that p^ becomes principal ideal. Hence corresponding class equation will be irreducible in 
GF{2). The precision required for computation of class eciuation is 27 digits. The class 
equation (modulo 2) is given as (36 1100100001000011111100111111100111001). Now, the 
coefficient a of the curve will an element of trace 1 because ^E{GF{2^^^)) = 2 mod 4. 
This element is found by random search. The coefiicient b is the inverse of the y-invariant 
of the curve which is 48th power of a root of class equation in GF(2^^^). Hence we now 
require factorization of class equation in GF(2’'’'’). The factorization was done in 8 hours 
23 minutes. Hence we see that this is quite time consuming step in this case. Obviously, if 
the class equation is reducible over GF{2) then a polynomial of smaller degree will have to 
be factored, and hence j-invariant can be obtained in less time. Next example discusses this 
case, i.e. n = ht and class equation reduces in GF{2). 

Example 7.11 

2 Here first integer represents the degree of polynomial and string of bits represents the <x>efficients. 
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Inputs 

• n = 128. 

• h = Z2. 

• B = 10. 

• C = 100. 

• The modulo polynomial is (128 1000000000000000000000000000000000000 
000000000000000000000000000000000000000000000000000000000000000110011011 
01100100111011111111). 

Outputs 

• The elliptic curve equation is + xy = + ax^ + 6, where 

a = (127 110010110000111111101101010000101001010110101100011101111011011 
10100011010100001100100000100101011000100011001000000000010001100), 
b = (126 10000100100000010010010011001011110000000000010100100100111101 
01011011011000000000000101100010100010101010000001001100010111000). 

• The order of the curve 

= 340282366920938463494384599195483217314, 

=2* 170141183460469231747192299597741608657. 

• ji-invariaiit= 

In this case, the discriminant is —4495. Here, integer 2 splits into prime ideals p, J)' which 
have order h/2 (= 32/2 = 16). Hence will be principal ideal in class group of C>(— 4495). 
This means that the class equation will get reduced to two irreducible polynomials of degree 
16 in GF{2). The precision required is 27. The class equation is 

(32 111111010011011100100101110000101). 

The polynomial (16 11010011010011001) is one factor of the class equation. Now, for compu- 
tation of j-invariant this polynomial is factored in GF(2^^®). The factorization is done in 1 
hour and 15 minutes which is quite less as compared to that required in Example 7.10. Once 
root is obtained the coeflicient b can easily be computed. The coefficient a is an element 
with trace 1. Similarly, the anamolous elliptic curves [MS99] can be constructed if k is taken 
1 and n as the desired extension. Now, we discuss the case when n = h. 
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n = h 

First we discuss the case when n is prime. 

Example 7.12 
Inputs 


» n = h = 193. 


• B = 10. 


• C = 100. 

Outputs 

• The modulo polynomial is (193 110111111101010101000100110000011 
1011000010111111110001000010100001111011010101110101011110001010000011101 
0100101001111101110100100111101101010000100101010011011000110111110000001 
100001001) 

• The elliptic curve equation is y'^ + xy = + ax^ + b, where 

a = 0, 

b = (192 11111000011011111011111001100010010111100000111111101110110101 
0001010010001001101011001100101001001111000011011111001010001001000010 
011101010011111111110111111111001100111011011110000101110011). 

• The order of the curve 

#E(GF(2i93) ^ 1255420347077336152767157884641537103058174992395739 
5864724 = 12* 1046183622564446793972631570534614252548479160329782988727 
340282366920938463494384599195483217314. 

• j-invariant= 6”^. 

The discriminant is searched in class number 193. A proper solution is found for discriminant 
—42407. Since the class number is a prime, every ideal in class group CC{0) will have 
order 193 and hence the factors of 2 as well. The class equation will be an irreducible 
polynomial (over GF{2)) of degree 191 and can be used as modulo polynomial for defining 
the field. If the root is a then will be the coefficient b. The coefficient a is zero as 
#F(GF(2^®^) = 0 mod 4. The precision used in computation of class equation is 63. Now 
we consider the case when = h and n is eoinpo.site. Now there will be ca.ses, first in which 
the chiss equation is irreducible and second in which the class equation reduces over GF{2). 
We consider the first case first. 
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Example 7.13 
Inputs 


• n = h = 160. 


• B = 10. 


• C = 100. 

Outputs 

• The modulo polynomial is (160 11010001001110000011111111 
111111001010101001010101000100111110001011010010111100101011001000 
0100010110101011000111011100001100101110100101100110001111100100100 ). 

• The elliptic curve equation is y'^ + xy = + ax^ + h, where 

a = 0, 

h = (159 10110101000100001111100010110001010101011100001000111011111 
0111100000000111010000110101100101010011010101111000011111000110001 
00110001101001111001011110000100 ). 

• The order of the curve 

#B(GF(2^®°) = 1461501637330902918203087131986134054232807615724, 

= 4 =»= 365375409332725729550921782996533513558201903931. 

• j-invariant= h~^. 

In this case the discriminant is —20495. Obviously the factors of 2 in 0(— 20495) will 
be of order 160 and the corresponding class equation will be irreducible. This is used for 
defining the field. The precision required is 54. The coefficient a will be zero and b can be 
obtained by raising the inverse of the root of this equation to 48th power. The next example 
discusses the case when the class equation gets factored for this very class number. 

Example 7.14 
Inputs 



• The modulo polynomial is (160 lOOOOOOOOOOOOOOOOOOOOOOOOOOOO 
0000000000000000000000000000000000000000000000000000000000000000000 
000000000000000000000000000000000010010001011 1 1 1 1 1010010110000011). 

Outputs 

• The elliptic curve equation is + xy = + ax^ + b, where 

a = (159 11001000110110111111110000111101110101010110101011111000111 
00101111100001011010100100111010011111011010111101101011010111001011 
100010100010110110001010000000001). 

b = (159 111000100010010011011010101000100000000101111011100011100110 
11111100110001110010111110100011110001000000110110010001011111101000 
00100111000011000110110100111100). 

• The order of the curve 

# E{G jP(2^“) = 1461501637330902918203685262673156328315700024354, 

= 2 * 730750818665451459101842631336578164157850012177. 

• _ 7 -invariant= b~^. 

In this case the discriminant is -55279. The required precision is 63. The class equation is 
a reducible polynomial of degree 160 and each of its factor is a polynomial of degree 20. The 
class equation is given i)y 

(160 11010011101011001110000011101110000011001100101100111010110 

1010100110011001010000110010110001010010011100010110100110111111011 

0011100011000010010111101011000101). 

Its one factor is (20 100000010100010101001). The coefficient o will be an element of trace 
4. For computation of 6., this polynomial is factored. Its factorization is done in 4 hours. 
Now we discuss the last case. 

h = nt 

Example 7.15 
Inputs 

• n — 135. 


• h = 270. 

• B = 10. 


• C = 100. 
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Outputs 


• The modulo polynomial is (135 10001110111111110101010110001 
0110011010000111001010010000000000000101101110000110011001010110111101 
0010101110000001001101010100010111101). 

• The elliptic curve equation is + xy = x^ + ax^ + b, where 
a = 0, 

b = (133 100100001110111111110110010010010001011011111011110100000010 
10011101011011110101001101000101000111101010100110000110110100011101 
010110 ). 

• The order of the curve 

#£^(GF(2^®°) = 4355614296588012332341403C655122927355348 

= 12 * 3629678580490010276951169721260243946279. 


• j-invariant= b ^ 

In this case, the discriminant is searched in class number 270. Obviously, a solution will 
be found iff the corresponding ideals will have order 135. The discriminant is —48599. The 
precision used for computation of the class equation is 90. The class equation have two factor 
polynomials of degree 135. The equation of the class equation is give below. 

(270 1000010011110110001101101100011111111101010111100101011 
00001001110010001001010001111011111101101001001111001011000010 
11111001001010011110000001001110001111001111000100011100010010 
10001111100111101001100010000001111010101000100100011111000001 
011101010110110010011010100001). 

Its one factor is (135 1000111011111111010101011000101100110 
10000111001010010000000000000101101110000110011001010110111101 
0010101110000001001101010100010111101). 

This polynomial can be used as modulo polynomial for defining the field GF{2^^^). 

Hence we see that all of above cases efficiently generate the elliptic curve over GF(2"). If 
an option is so chosen that factorization of the class equation is avoided then this algorithm 
constructs the curve in few second for fields with extension degree n smaller than 150. For 
larger field also this method gives the curve in few minutes. Now in the next section, we 
give the results for sup(nsiiigula.r elli|)tic ('urv(' eoiisI.riKttion ov(u' ti/'’(2”). 
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7 .4 Construction of Supersingular Elliptic Curves over 

GF{2'') 

As discussed in Chapter 4, there are only 3 and 7 isoinorphisrii classes of supersingular elliptic 
curves over GF[2'^) for odd and even 7 i respectively. For each class, the order of the curve is 
known. The representative reduced form for each isomorphism class of supersingular curves 
over odd extension of GF{2) are given in Chapter 4. For even extension of GF{2), the 
representative form for each of seven i.soinorphism classes can obtained by finding elements 
in GF(2'^) following certain properties discussed in Cliaptcu 4. To construct these curves, 
we have developed routines for large integer and GF{2") arithmetic. 

Here, we give examples for each isomorphism class. 

Example 7.16 

Isomorphism classes over GF{2^^^) 

1. If equation of the curve is + y = then the order of the curve is 
45671926166590716193865151022383844364247891969. The degree of MOV reduction 
attack is 2. 

2. If equation of the curve is y^ + y = + a: then the order of the curve is 

45671926166590716193865151022383844364247891969. The degree of MOV reduction 
attack is 4. 

3. If equaton of the curve is y^ + y = a:^ + a; + 1 then the order of the curve is 
45671926166590716193865453253838748021541568513. The degree of MOV reduction 
attack is 4. 

Example 7.17 

Isomorphism classes over GF(2^®°) 

The modulo polynomial for GF(2'“) is (160 100000000000000 
00000000000000000000000000000000000000000000000000000000000 
00000000000000000000000000000000000000000000000000000000100 
1000101111111010010110000011). 

1. If equation of the curve is y^ + (1 10)y = then the order of the curve is 
1461501637330902918203086041642102634285107249153. The degree of MOV reduc- 
tion attack is 3. 

2. If the curve eciuation is 7 / + (2 100)y = then the order of the curve is 
1461501637330902918203686041642102634285107249153. The degree of reduction at- 
tack is 3. 
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3. If equation of the curve is + (i io)y = + (135 10000000000 

0000000000000000000000000000000000000000000000000000000000000000000000 
0000000000000000000000000000000000000000000000000000000 ) then the order of the 
curve is 

1461501637330902918203683623790463405026757836801. The degree of MOV reduc- 
tion attack is 3. 

4. If equation of the curve is + (2 I00)y = 3 ;^ + (137 1000000 
00000000000000000000000000000000000000000000000000000000000000000 
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO) then the or- 
der of the c.urve is 

1461501637330902918203683623790403405020757836801. The degree of MOV reduc- 
tion attack is 3. 

5. If ecjuation of the curve is + y = tlnni t,h(^ or(l(^r of tlu^ curve is 
1461501037330902918203682414864643790397583130625. The degree of MOV reduc- 
tion attack is 1 . 

6 . If equation of the curve is y^ 4 - y = -f (133 lOOOOOOOOOO 

000000000000000000000000000000000000000000000000000000000000000 

OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO) 
then the order of the curve is 

1461501637330902918203687250507922248914281955329. The degree of MOV reduc- 
tion attack is 1 . 

7. If equation of th(v curve is y^ + y = 4- (1 10 ) then the order of the curve is 

1461501637330902918203684832716283019655932542977. The degree of MOV reduc- 
tion attack is 2 . 

The only computation intensive operations involved in constructing the supersingular curves 
are search of elements of trace 1 , which too is accomplished within no time. 

7.5 Implementation of Cryptosystems 

The elliptic curve cryptosystems based on ElGamal’s algorithm have been implemented in 
software. Various routines have been developed to perform the arithmetic of modular integer 
and elements of GF{T') to imple.mcnt the cryptosysttun over GF{p) and GF(2”) r^pectively. 
For modular arithmetic in GF(p) Montgomery’s modulo multiplication algorithm have been 
used. The following table shows the encryption and decryption rate over different finite fields. 
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Finite field GF{q) 

*GF(q) 

in decimal digits 

Encryption rate 
bits/sec 

Decryption rate 
bits/sec 

GF{p), q=p 

51 

400 

1240 

GF{p), q = p 

30 

790 

1620 

GF(2i30) 

39 

320 

733 

GF(2^55) 

47 

256 

500 


Table 7.2; Throughputs of cryptosystem over GF{q) 


It is obvious from the data giv(ui iu table that the throughput decreases as the size of the 
working field increases. For the fields with almost same order, the elliptic curve cryptosystem 
over GF{p) have higher throughput in comparison to GF(2”) as 32-bit multiplication is very 
efficient on Pentium processor. The decryption rate is almost twice of encryption rate because 
encryption involves 2, kV type of computations. For the computation of kV modified double 
and add method has been used. Higher throughput can be achieved if precomputation based 
algorithms are used and routines for arithmetic in underlying field are written in assembly 
language. 
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Chapter 8 

Conclusions and Future Work 


After going through various issues involved in design of efficient and secure elliptic curve 
cryptosystems, we conclude the thesis with review of main points and scope for future work. 


8.1 Conclusions 

The selection of a suitable elliptic curve and the finite field is an important aspect in design- 
ing an efficient cryptosystem. From the implementation point of view, elliptic curves over 
finite fields GF{p) and GF(2”) are of particular interest. We discussed the algorithms for 
construction of non-supersingular elliptic curves over GF(2”) and GF{p) which are secure 
against all of known attacks. The algorithms are based on Lay and Zimmer’s scheme (which 
is modified version of Atkin and Morain’s scheme [AM93]) and have been generalized to 
include several other cases. 

The algorithm for construction of non-supersingular elliptic curves over GF{p) gives a 
generalized framework for construction of curves. The algorithm have been implemented 
and tested to generate the elliptic curves over GF{p) with predefined order. Miyaji’s 
method [Miy92] for construction of elliptic curves over GF{p) with order p turns out to 
be a particular case. The algorithm have been tested to generate the curves with order p in 
few seconds for discriminants with class number other than 1 also. 

In case of construction of elliptic curves over GF(2"), the Lay and Zimmer’s algorithm 
have been generalized to include several other cases in which class number is not equal to 
the degree of extension of GF(2”') over GF{2). 'riiese cfises were excluded by Lay due to 
incorrect interpretation of irreducibility of class ociuation (possibly, as appears from one line 
written in [LZ94]). Whereas we present those cjrses as favorable ones when it is desirable to 
specify the modulo polynomial for GF(2"). As discussed in Chapter 6, this is required when 
optimal normal basis representation is desired. We support our argument with theoretical 
justification as well as by illustrating examples for each case. The algorithms have been 
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tested thoroughly. The superiority of these algoritlun over Schoof’s algorithm [Sch85] is 
obvious as the time required in construction of curves over very large fields is very less (few 
minutes on Pentiuni-lOOMHz for curves over field as large as GF{2^^°)) as compared to the 
time required by Schoof’s algorithm [Men93b]. Apart from non-supersingular elliptic curves, 
supersingular curves over ^^(2") have also been discussed and implemented. 

Thesis also discussed various issues involved in implementation of elliptic curve cryp- 
tosystems. Various aspects related to selection of curve and working field for smart card 
implementation have also been discussed. It is obvious from the discussion in Chapter 6 
that elliptic curve public key algorithms are a better candidate for smart card than RSA as 
they are less expensive both in terms of memory and computational requirement for same 
level of security. 

8.2 Future Work 

In this thesis, we discussed various aspects of designing an efficient and secure elliptic curve 
public key cryptosystem. The task of constructing the curve have been fully accomplished 
which takes care of security aspects. This work can be extended to take up other aspect 
of an elliptic curve cryptosystem design, that is, hardware and smart card implementation. 
This will be more concerned with VLSI design related issues. This is a very challenging 
task as limited space is available on smart card and moreover, the processing power is also 
restricted. 

The elliptic curves have been studied in detail in the thesis. Apart from their application 
in cryptography, the elliptic curves have also been discussed for primality testing and integer 
factorization which have always been a hot topic of research in number theory. As discussed 
in Chapter 5, the curve construction algorithms can be used to improve the efficiency of 
existing algorithms for integer factorization and primality proving. 
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Appendix A 
Modular Forms 


Here we give a brief overview of theory of modular forms. For details please refer [Sil94, 
Apo76, SegSO]. In the discussion k denotes an integer, H denotes the upper half-plane, 
H= {r ; S(r) > 0}. 

Definition A.l The modular group, denoted by r(l), is the quotient group 

r(i) = 5L2 (z)/{±i} 


±1 are the only elements of SL 2 {Tj) which fix H. This group is generated by the matrices 


5 = 


0 -1 
1 0 


and T = 


1 1 
0 1 


Definition A. 2 A function /(r) is called a modular function of weight 2k if 

1. f is mermorphic in upper half-plane H; 

2. for every r gH and 7=1 , ) € r(l) 

cd 


fijr) = (CT + df’^f{r)\ 


3. the Fourier expansion 

OO 

/(r) = i: 

i——n 

is valid throughout the upper half-plane H. 

Any modular function of weight 0 is called modular form. 

7er(i) 


Hence, modular forms for all 
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The modular forms are invariant under homothetic transformation of r. For any lattice 
A =Zr+Z, the Eisenstein series 


G2t(A)= E 


1 


u 


2 k 


is absolutely convergent for all integers k >2 and is a modular functions of weight 2 k. 

We are mainly interested in g2 = 6OG4 and <73 = HOGe- The modular discriminant is 
the function A(t) = g^ — ‘2‘Tgl. It is a modular form of weight 12. 

The Klein’s modular function j(r) is a combination of ^2 and 9z defined in such a way 
that as a function of r, it is homogeneous function of degree 0. 


Since it is a modular form, it remains invariant under unimodular transformation of modular 
group r(l) and is uniquely related to 52 and .93. The Fourier expansion of A(r) and j{T) 
are as given below. 

J'W = AE'^Wi" 

9 n>0 

where, q — r(n) are Ramanujan’s function and c(n) 6 Z. 
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Appendix B 

Algebraic Number Theory 


Algebraic number theory is a very vast topic in mathematics. Here our aim is to give 
an introductory overview of the subject. For more information please refer [PS92, Ono90, 
Cha88, IR82, Hec93, Coh78, Ros94]. 

A complex number a is called algebraic if it satisfies an equation of the form 

Ct” + CLn-lOj^ ^ + . . . + CLji = 0 


with Ci €Q. 

An algebraic number field K is a finite field extension of Q lying in C. It is always of the 
form K =Q(a). The degree [K : Q] of K over Q is called the degree of K and it is equal 
to the polynomial given above. The algebraic number field K can also be thought as an ti 
dimensional vector space over Q. The Q-basis (1 ,q:, . . . spans the whole space, i.e 

the field K. 

The first goal of algebraic number theory is the extension of the arithmetic in Z and C] 
to algebraic number fields. By arithmetic in Z we mean the unique factorization of natura 
numbers in the product of prime numbers. The arithmetic in Q is given by the arithmetic 
in Z. If we want to generalize the arithmetic of Q to an algebraic number fields K, the firsi 
question we have to answer is, what is the generalization of Z? This is a ring O m K witl 
the following properties; 

1. K is the quotient field of O. 

2. OnQ=z. 

3. The additive group of O is finitely generated. 

A ring with these proi)erties is called an order of K. If K then there are infinitely man; 
orders of K and there is one maximal order Ok containing all orders of K. An element ot c 
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K belongs to Oic if and only if there are integers oi, . . . , eZ for some s <n such that 

+ . . . + = 0 

The ring of integers is a natural generalization of Ofc and arithmetic in Z is generalized with 
the notion of ideals in Ox.- The Ox is called the ring of algebraic integers and its elements 
are called algebraic integers. The ideal theory of algebraic number field plays an important 
role in giving a well defined structure to arithmetic in Ox- An integral ideal in Ox is a Z 
module in Ox- An integral ideal is also referred as a module. 

Proposition B.l A nuinhev a in an algebraic number field K is an algebraic integer if and 
07ily if there exists a module {0} in K unth am C m. 

Let m be a complete module’ in K. Then 

©(m) = {a € Ar|am 6 m} 

is called the order of m. 

Proposition B.2 Anrj module va of O contains a basis of the vector space K over Q. 

For any a in K, there are n (= [K :Q]) conjugates [Cha88, Ono90, Fra95] 1 < ^ 

The norm and trace functions of a are defined as 

N /<-/Q(a) = a^’^ . . . a^”^ mid Trj<-/Q(a) = a^’^ + . . . + 

For (oi, . . . ,an) the discriminant is defined as 

dKiQ{<y],- - - ,a„) = = dci{Tr x /^{tYiaj)) 

If all Oj € Ox then the discriminant will be an integer. A set of n numbers (ai,. . . ,an) is 
called an integral basis of module m if we have m =Zai + . . . I/Xn- The discriminant of this 
module is independent of the choice of the basis. 

Theorem B.l The discrimmant of any order dj^iqip) can either be 0 or 1 congruent to 
modulo 4- 

Let (Pi, - - - , Pn) be a basis of C>(m) and let A G GL„(Q) such that 

(a^ 5 ■ • • 9 (/^l j * * • 1 /^n)A. 

The absolute value \detA\ of the determinant of A is independent of the choice of the basis. 
It is called the norm of m and is denoted by N(m). It is easy to see that 

d{m) = d{0{xn))n{mf 

Here N(m)=|detA|. If m is an order O and its order is the ring of algebraic integers thei 
N(0) is called the conductor of O- 

module is called complete if its rank is equal to [A : q] 
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Definition B.l For modules (equivaletly ideal) a and b in an order O, we define 

a ~ b =(/i)b for some, o-, /j G O, 

where (a) & (/?) are principal ideals. This relation in the set of all nonzero modules (ideals) 
in O is an equivalence relation. A class defined by this equivalence relation is called an ideal 
class. 

Theorem B.2 The number of ideal classes of O if finite. 

The number of ideal classes of O is called class number, denoted by h. 

Theorem B.3 The set of all ideal classes of O constitutes an abelian group, called class 
group ofO. 

Equivalence class of all principal ideals of a class group is the identity of this group. Ob- 
viously, any ideal in O when raised to power h will become principal ideal. In fact, this 
concept of class group can be extended to fractional ideals from integral ideal. 

Definition B.2 Let K be an algebraic number field of finite degree over Q and let O he an 
order. An O-module m is a fractional ideal if there is a p E O such that pm C O. 

If the set of all principal fractional ideals is denoted by P and class group by H, then 

Theorem B.4 The group H/P is same as the class group defined above. 

The next theorem characterizes the arithmetic in K. 

Theorem B.5 (Fundamental Theorem of Ideal Theory) Every nontrivial fractional ideal a 
can be written uniquely as a product of prime ideals except for the order of the factors: 

a = P? , • • • , Pg" Ci e Z 

Hence for any rational prime p the principal ideal (p) /<■ in O splits into prime ideals 

{p)k = pV .--Pi”; ei>0 

Call fi the degree of pj : fi [C/p,- : GF{p)]. Here 

Npi = [0/pi]=p^\ 


Taking the norm of both the sides and comi)aring the power of p, we get 

n = [K : Q] = ei/i H 1- Cg/g- 
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Definition B.3 &{ is the t atnification index of |3j. When ei > 1, is said to be ramified 
and when ej = 1, pj is unramified. 

This concept can be generalized further to the extension field L of K. Now we focus upon 
the ring of algebraic integers but all the arguments will be valid for orders in the extension 
fields as well. For a prime p in Q, denote by p and ^ prime ideals in Ojc and Oc, respectively, 
such that pIp and ^|p. Call e the ramification index of p for A /Q, e* the ramification index 
of ^ for L/Q. Furtther more, let e' be the ramification index of ip for L/K. Hence 

f (p)k = . . . P" . . . 

i (p);, = ...r'-.- 

As for their degrees, we have 

/ = [0^:GF{p)] and /* = [Oc-.GF{p)] = OM\OkIp-GF{p)\ = /'/, 

where f = [Oc/'^'-OkIp]- Therefore we obtain f* = /'/. 

Now we give a very impotant result which tells us whether any prime will ramify in the 
extension field or not. 

Theorem B.6 Any prime ideal p in K will ramify in L if discriminant of L (— d{Oc)) m 
divisible by p. 

The next theorem, is due to Kummer, is very important in determining the irreducibility of 
the class equation constructed in Chapter 4. 

Theorem B.7 Let K —Q(d), 9 G Ok. and let fo{x) GZ[.'r] be the minimal polynomial of 9. 
Assume that Ok Let 


fo{x) = (pi{xy ^ , . . . , ^g{xy^ {mod p) 

be the decomposition of fo{x) mod p where each (pi{x) is a monic polynomial of degree fi am 
irreducible mod p. Then p= [p, <Pi{0)) is a prime ideal of degree fi and we have 


(p)k = pr,--- yf’ 


Since our major concern is with imaginary quadratic fields, we summarize the abov< 
discussion for degree two extensions. An algebraic field K is called a quadratic field i 
[A" : Q] = 2. For any quadratic field there exists a unique square free d gZ such tha 
K =Q{Vd). Let 


iV = 


(1 + \/d)/2 if d = I mod 4, 
\/d if d = 2, 3 mod 4 
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Then {l,a;} is a basis of Ok- 

An arbitrary order in K is of the form Of :=Z[/w], where / is a positive integer /, called the 
conductor oiOf. The basis of 0/ is {IJui} The discriminant of Ok is called the discriminant 
of K and is equal to £) = d if d = 1 mod 4 and = 4d if d = 2, 3 mod 4. If the discriminant 
is negative then the field is called an imaginary quadratic field. The discriminant of an order 
with conductor /, Of, is equal to Dp. The class number of 0/ is an integer multiple of 
that of Ok- 

If d = 2, 3 mod 4 and p is a prime, then 

1. p\D (p) — p^, and N(p)= p. 

2. for p J(D a D is a, quadratic residue modulo p, then (p) = pp' and N(p) =N(p') = p. If 
D is not a quadratic residue modulo p, then (p) = p and N(p)=p^. 

If d = 1 mod 4, then 

1. for p\D (p) = p^, and N(p) =p. 

2. for p J(D, 

(a) p 2: If D is quadratic residue modulo p, then (p) = pp' and N(p)=N(p') = p. 
If D is not a quadratic residue modulo p, then (p) = p and N(p) =p^. 

(b) p = 2. If = 1 mod 8, then (2) = pp' and N(p)=N(p') = p. If s 5 mod 8, 
then (2) = p and N(p)= 2^. 
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Appendix C 

Class Field Theory 


Theory of abelian extensions of algebraic number fields is called the class field theory. It 
describes the arithmetic of abelian extension of an algebraic number field K in terms of 
arithmetic of K. In 1840 it was shown by Kumrner that every abelian extension of Q is 
contained in a cyclotomic field Q(Cm)) where Cm is the mth root of unity. The theory of 
complex multiplication provides an analytical realization of class field theory for quadratic 
imaginary fields, much as the cyclotomic theory gives a realization of class field theory for Q. 
Here we give a brief overview of the class field theory. Please refer [Coh78, Sil94, PS92, Ono90] 
for further details. 

Class field theory describes the arithmetic properties of an abelian extension of K with 
the corresponding Galois group of automorphisms. For any abelian extension of L of K, the 
Galois group is denoted by Gal{LjK) and i^Gal{L/ K) = [L : K]. For a prime ideal p in A 
consider the finite set of inimc ideals in Oc', 

Pp = {!P;!P|p) 

The decomposition group of Gal{LlK) for ipjp is the set of all automorphisms which leaves 
^ fixed, i.e. 

G(q3) [a € Gal{LlK) : = qi}. 

The quotient group Gal{LfK)lG{^) is isomorphic to P<p. Let g = [Pp]= [Gal{L/K) : 
G(fp)]. Let O’!, . . . , Oj, be the total set of representatives of the left cosets in Gal{Lf K')/G(^P). 
Then the decomposition of p in L can be written as 

Now since for any a € Gal{LjK), p"" = p and Gal{LfK) is abelian, it can easily be shown 
that all Cj will be equal. Hence 

p = (r\..-,ro^ 
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As for the residue fields, there is a natural bijection 

creGal{L/K) 

and so the relative degree : Ok/p] does not depend upon a. If the relative degree is 

/ then 

n = [L ■.!<] = efg 

Now there exists a homomorphism from the decomposition group of ^ to the Galois 
group of residue fields Oc/^ and Ofc/p, 

G(^) Gal{{Ocm/{OK/p)) 

The right hand side group is cyclic and generated by the Frobcnius automorphism 

X I — >■ . 

If f) is unrarnified, i.e. e = 1, then this homomorphism will be an isomorphism and there 
will exist a unique element CpE G(^) (and hence in Gal{L/K)) which will correspond to 
Frobenius automorphism in the right hand side group. It should be noted that this will 
be a unique element in case of abelian extensions only. Hence ap€ Gal{L/K) is uniquely 
determined by the condition 

ap{x) = mod ip for all x E L 

This completes the study of Galois group of abelian extension of an algebraic number 
field K. Now we discuss relationship of this group with the ideal class group of ring of integer 
Ok. of K (and also for any order O in general) . 

Let c be an integral ideal of K that is divisible by all primes that ramify in L/A", and let 

I (c) = group of fractional ideals of K which are relatively prime to c. 

Then the Artin Map is defined using the Up’s 

(•, L/A) ; /(c) — > Gal{LlK), 

p p 

The following proposition gives us important information about Artin map. 

Proposition C.l (Artin Reciprocity) Let L be a finite abelian extension of K. There exis 
an integral ideal c C Ok, divisible by precisely the primes of K that ramify in L, sudi thai 

((a), L/K) = 1 for all a € K* satisfying a = l(mo<i c). 
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c is called conductor of L/ K . In view of this proposition, we define the group of principal 
ideals which are relatively prime to c : 

” {{^) • ^ o: = l(mod c)). 

Artin reciprocity says that the kernel of the Artin map contains P(c) for an appropirate 
choice of c. More precisely, 

a e P(c) (a, L/K) = 1. 

If p is a prime ideal in K such that it is unramified in L, then p splits completely in L 
if and only if the degree of corresponding ideals in L is 1, or equivalently (^, L/K) = 1. 
Thus the unramified prime ideals in the kernel of the Artin map are precisely the primes of 
K which split completely in L. Now, we introduce the notion of class field with Ray Class 
Field. 

Definition C.l Let c be an integral ideal of K. A ray class field of K (modulo c) is a finite 
abelian extension K^/K with the property that if the conductor of any finite abelian extension 
L/K devide c then K C A'c. 

The ray class fields are the largest fields with a given conductor. Consider the ray class field 
of K modulo the unit ideal c= (1) (= Ojc)- Then all the prime ideals of K, if at all, will 
be unramifield in L — A'(i). In such a case, L is called the Hilbert Class field, the maximal 
unramified abelian extension K. Notice that 

/((!)) = (all non-zero fractional ideals of K}, 

P((l)) = (all non-zero fractional ideals of A}. 

So the Artin map induces an isomorphism between the ideal class group of K and the Galois 
group of the Hilbert class field: 

(•, A(, )//!') : CC{Ok) = 

Similarly for any conductor (/), where / eZ, all of the above arguments hold for an order 
O with conductor / (see Appendix B) and 

(•, K^n/K ) : CC{0) “ Gc.l(K„^IK). 

In this case, A(/) (denoted tis Ho in Chapter 2 and 4) is called the ring class field. This is 
not an unramified abelian extension of K as all prime ideals of Ok: which are not relatively 
prime to (/) will surely ramify in Ag). Btit (obviously) all the i)rimc ideals in O will be 
unramified in A(/). This result is of utmost importance in the theory of construction of 
elliptic curves. 
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Appendix D 

Algebraic Geometry 


Let A be a perfect field [Fra95, BJN94] and K its algebraic closure. 

Definition D.l An affine n-space over K is the set of n-tuples 

A"(A) — {V = ,Xn) -.Xi^'K) 

Similarly, the set of K -rational point in A" is the set 

A”(A) = {V = (xi, X2, ...,Xn)eA^(K):XieK} 

The elements of A” (A) are called points. A^{K) is the affine line and A"(K) is an affin 
plane. For any function / in the ring IC[Xi,. . . , A„], a point V= (oi, 02 , - . . ,a„) G A”(K 
is a zero of / if f(P) =0. If / is not a constant, then the set of all zeros of / is called 
hypersurface defined by /, and is denoted by V(f). A hypersurface in A^(^) is called a 
affine plane curve. More, generally if S is any set of polynomials in K[Xi, . . . , A„], we h 
V{S) = {Ve A"(A) : f{V) = 0 for allf G S}. 

Definition D.2 A subset X C A^{K) is an affine algebraic set, or simply an algebraic se 

We can associate an ideal with this algebraic set, called ideal of V, which is given as I{V) ■- 
{/ G K[Xi, . . . ,Xn] ’■ /('P) = 0 for all V G V). Any algebraic set V(/) is said to t 
irreducible if I{V (/)) is a prime ideal in K[Xi , . . . , A,,]. 

Definition D.3 An irreducible affine algebraic set is called an affine variety. 


The affine coordinate ring and function field of an affine vareity V (/) over K are give 


m 


= 6 ■R'M) 


Now, we define the projective space as the collection of linos in affine space of one high 
dimension. Each point in an affine plane is rc{)resented by a line passing through orig 
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in the corresponding projective plane (affine plane of one higher dimension). Actually, the 
projective plane arose through the process of adding ’’point at infinity” to the affine space. 

Definition D.4 A projective n-space over K is the set of 71 + l-tiiples 

= {V = (x, ,X2,..., .rn+, ):Xie K} 

such that at least one tuple is non-zero. Similarly, the set of K -rational point in A” is the 
set 

A’\K) = {V = {xuX2, , rr„+i) 6 A"(A) : Xi e K} 

Two points in a projective plane are said to be e(}uivalent if their coordinates are {a:,} and 
{Arcj} for any X e K. In other words, all the poitns lying on a line which passes through 
origin in projective plane will be equivalent. In fact, all of these points will be equivalent to 
a single point in the affine plane given by { x 1 /xi i /x, , .7;,;.,. 1 /.x’,; , . . . , Xn+ i/xi}. 

Prjective variety is defined in a way similar to the affine vareity. Any affine vareity (hy- 
persurface) V{f) in an affine plane corresponds to a projective variety V'{f') in a projective 
plane for homogenized version /' of /. The next theorem tells us about the isomorphism 
between the two varieties. 

Theorem D.l Two projective (also affine) vareities V\, 1 2 o.re said to be isomorphic (or bi- 
rationally equivalent) iff there exist a map (set of intional f7inctions in corresponding function 
field) which maps one variety to another. 


4> = [fu ■ • • , /n+i] : VI V 2 where U 6 K{V) 

Since we are mainly concerned with algebraic curves (an affine variety of dimension 1) , 
now onward, we will concentarte on affine plane A^{K) and corresponding projective plane 
A^{K) only. Any curve C : f{x,y) = 0 will correspond to a hypersurface C : f{X,Y,Z) = 
f{X/Z, YfZ) = 0. 

Now, let us define the term non-singular (or smooth) for algebraic curves ( or any variety 
of higher dimension) which is a measure of irregularity of the curve ( of the variety). 

Definition D.5 A projective curve C = V{f) is said to be non-singular or smooth if all 
are not zero simultaneously for any point of C. 

If a curve is singular, then it is possible to draw more than one tanegent at singular 
points. The number of distinct tangents which can be drawn on an ordinary singlular 
point, define its mnltiplicity. It is well known in algebraic. g(H)metry that any curve of 
degree n (the degree of corresponding /) can have at the most (n-l)(n-2)/2 double points 
(ordinary singular points of multiplicity 2). The genus of a curve g = {n - l)(n - 2)/2 - 
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( number of properly counted double points) is a measure of singularity of a curve. For 
more information about genus please see [Ful69, Abh90, WaI62, Mor93, PS93, TV91]. 

To conclude this discussion, we define the divisor group for a smooth curve. The divisor 
group of a curve C, denoted by Div{C), is the free abelian group generated by the formal 
sum of points of C. Thus, a divisor D e Div{C) is a formal sum 

^ = E 

vec 

with n-p gZ and n-p ^ 0 for all but finitely many 'P & C. The degree of D is defined by 

deg D =Y, 

•pec 

Divisors of degree 0 form a subgroup of Div{C), which is denoted by 

. Div°{C) = {D € Div{C) : deg = 0} 

If curve is defined over K, then corresponding divisor groups will be DivK{C) and Div%{C). 
Now, assume that the curve C is smooth, and let / lie in the bmetion field of C, then we 
can associate to / the divisor div(/) given by 

div(/) = E ord 7 p(/)(P), 

p&c 

where, ord'p(/) is a valuation on / for its polos and zeros. If / has a pole at V, oidp{f) < 0; 
if V is zero of / then ord'p(/) > 0. Since / is an clement of function field of C, there will be 
finitely many points at which / will have a pole or zero. Moreover, it is a fundamental fact 
in algebraic geometry that degree of div(/) will bo zero. 

Definition D.6 A divisor D G Div{C) is principal if it has the form D = div{f) for some f 
in function field K{C)*. Two divisors Dj, D 2 are linearly equivalent, denoted by Di ~ D^, if 
Di — D 2 is principal. The divisor class group ( or Picard group) ofC, denoted Pic{C), is the 
quotient of Div{C) by the subgroup of principal divisors. We let Pic«-(C) be the subgroup 
of Pic{C) fixed by Galois group Gal{K J K). The degree 0 part of the divisor class group 
of C, Pic^{C), is the quotient of Div^{C) by the subgroup of principal divisors. Further, 
Pic'j^{C) is the subgroup of Pic^{C) fixed by Gal{K/K) 

This definition is helpful in defining the group structure of all the point on a given elliptic 
curve. 


130 



Bibliography 


[Abh90] 

[ABV89] 

[Ahl79] 

[AM93] 

[AM0V91] 

[AMV93] 

[Apo76] 

[BCh+66] 

[BJN94] 

[Bri89] 

[BS96] 


Shreerain S. Abhyaiikar. Algebraic Geometry for Scientists and Engineers. 
Number 35. American Mathematical Society, 1990. 

David W. Ash, I. F. Blake, and S.A. Vanstone. Low Complexity Normal Bases. 
Discrete Applied Mathematics, 25:149-210, 1989. 

Lars V. Ahlfors. Complex Analysis. McGraw-Hill, 1979. 

A. Atkin and F. Morain. Elliptic Curves and Primality Proving. Mathematics 
of Computation, 61(203):29-68, 1993. 

G. Agnew, R. Mullin, I. Onyszchuk, and S. Vanstone. An Implementation for 
a Fast Public Key cryptosystem. Journal of Cryptography, (3):63-79, 1991. 

G. Agnew, R. Mullin, and S. Vanstone. An Implementation of elliptic Curve 
Cryptosystems over F 2 m . IEEE Journal on Selected Areas in Communications, 
11 (5) -.804-813, June 1993. 

Tom M. Apostol. Modular Functions mid Dirichlet Series in Number Theory. 
Number GTM-41. Springer- Verlag, 1976. 

A. Borel, S. Chowla, C.S. herz, K. Iwasawa, and J-P. Serre. Seminar on Complex 
Multiplication. Number LNM-21. Springer- Verlag, 1966. 

P.B. Bhattacharya, S.K. Jain, and S.R. Nagpaul. Basic Abstract Algebra. Cam- 
bridge University Press, 1994. 

E. F. Brickell. A Survey of Hardware Implementation of RSA. LNCS: Advances 
in Cryptology-CRYPTO’89, (435):368-370, 1989. 

Erich Bach and Jeffrey Shallit. Algorithmic Number Theory, volume 1: Efficient 
Algorithms. The MIT Press, 1996. 


131 



[Cas94] 

[Cha88] 

[Cha95] 

[Coh78] 

[CTT94] 

[Dav80] 

[DH76] 

[DH79] 

[DJ91] 

[DVJ96] 

[dWQ92] 

[E1G85] 

[Fen89] 


32-bit Microcontroller for Smart Cards, 1994. available at site 
http://www.dice.ucl.ac.be/dliem/cascade.html. 

J. S. Chahal. Topics in Number Theory. Plenum Press, 1988. 

K. P.P.Kalyan Chakravarthy. On Certain Computations Related to Elliptic 
Curves. Master’s thesis, Indian Institute of technology, kanpur, Electrical Engg. 
Deptt., IIT,. Kanpur-208016,India, February 1995. 

Harvey Cohn. A Classical Invitation to Algebraic Numers and Class Fields. 
Springer- Verlag, 1978. 

Jinhui Chao, Kazuo Tanada, and Shigeo Tsujii. Design of elliptic Curves 
with Controllable Lower Boundary of Extension Degree For Reduction Attacks. 
LNCS: Advances in Cryptology-CRYPTO’94., 839:50-55, 1994. 

Harold Davenport. Multiplicative Number Theory. Springer- Verlag, 1980. 

Whitfield Diffie and Martin E. Heilman. New Directions in Cryptgraphy. IEEE 
Transaction on Information Theory, 22(6):644-654, November 1976. 

Whitfield Diffie and Martin E. Heilman. Privacy and Authentication: An In- 
troduction to Cryptography. Proceeding of The IEEE, 67(3):397-427, March 
1979. 

Stephen R. Dusse and Burton S. Kaliski Jr. A Cryptographic Library for 
the Motorola DSP56000. LNCS: Advances in Cryptology-EUROCRYPT’90, 
473:230-244, 1991. 

Jean-Francois Dhem, Daniel Veithen, and J.J.Quisaquater. SCALP:Smart 
Cards For Limited Payment Systems. IEEE Micro, pages 42-51, June 1996. 

Domnique de Waleffe and J. J. Quisquater. CORSAIR: A Smart Card for Public 
Key Cryptosystems. LNCS: Advances in Cryptology’ 92, pages 389-399, 1992. 

T. ElGamal. A public key Cryptsystem and a Signature Scheme based on 
Discrete Logarithms. IEEE Transaction on Information Theory, 31:469-472, 
1985. 

Gui-Liang Feng. A VLSI Architecture for Fast Inversion in GF{2”). IEEE 
Transaction on Computers, 38(10):1383— 1386, October 1989. 


132 



[FOM92] 

[Fra95] 

[Ful69] 

[Gre93] 

[GV95] 

[Hec93] 

[IR82] 

[KABSK96] 

[Knu81] 

[Kob90] 

[Kon91] 

[KT92] 

[LN94] 


Atsushi Fujioka, Tatsuaki Okamato, and Shoji Miyaguchi. ESIGN: An Effi- 
cient Digital Signature Implementation for Smart Cards. LNCS: Advances in 
Cryptology ’92, pages 389-399, 1992. 

John B. Fraleigh. A First Course in Abstract Algebra. Narosa Publishing House, 

1995. 

William Fulton. Algebraic Curves. W. A. Benjamin, Inc, 1969. 

Jonathan S. Greenfield. Distributed Programming Paradigms in cryptography 
applications. Lecture Notes in Computer Science, 870, 1993. 

Shuong Gao and S.A. Vanstone. On Orders of Optimal Normal Basis Generator. 
Mathematics of Computation, 64(211);1227-1233, July 1995. 

Erich Hecke. Lectures in Theory of Algebraic Numbers. Number GTjM- 77. 
Springer- Verlag, 1993. 

Kenneth Ireland and Michael Rosen. A Classical Introduction to Modem Num- 
ber Theory. Number GTM-84. Springer- Verlag, 1982. 

Cetin Kaya Koc, Tolga Acar, and Jr. Burton S. Kaliski. Analyzing and Com- 
paring Mongomery Multiplication Algorithms. IEEE Micro, pages 26-33, June 

1996. 

D. E. Knuth. The Art of Computer Programming: Seminumerical Algorithms. 
Number MA. Addison- Wesley, Reading, 1981. 

N. Koblitz. Constructing Elliptic Curves Cryptosystems in Characteristic 2. 
LNCS: Advances in Cryptology-CRYPTO’90, 537:156-166, 1990. 

Hans-Peter Konigs. Cryptgraphic Identification Methods for Smart Cards in 
the Process of Standardization. IEEE Communication Magazine, pages 42-48, 
June 1991. 

Kenji Koyama and Yukio Tsuruoka. Speeding up Elliptic Cryptosystems 
by Using a Signed Binary Window Method. LNCS: Advances in Cryptology- 
CRYPTO’92, pages 345-357, 1992. 

Rudolf Lidl and Harald Niederreiter. Introduction to Finite Fields and their 
Applications. Cambridge Unversity Press, 1994. 


133 



[LZ94] 

[McE87] 

[Men93a] 

[Men93b] 

[Miy91] 

[Miy92] 

[MonSo] 

[A'Ior93] 

[MO\'W89] 

[MS91] 

[NM95] 

[Omu90] 

[OrLo90] 

[OSA92] 


G.J. Lay and H.G. Zimmer. Constructing Elliptic Curves with Given Group 
Order over Large Finite Fields. LNCS: Algorithmic Algebraic Number Theory, 
(877):251-263, 1994. 

R. J. McElice. Finite Fields for computer scientists and Engineers. Kluwer 
Academic Publications, 1987. 

Alfred J. Menezes, editor. Application of Finite Fields. Kluwer Academic Pub- 
lishers, 1993. 

Alfred J. Menezes. Elliptic Curve Public Key Cryptsystems. Kluwer Academic 
Publishers, 1993. 

Atsuko Miyaji. On Ordinary Elliptic Curve Cryptosystems. LNCS. -Advances in 
cryptology-ASIACRYPTOl, 1991. 

Atsuko Miyaji. Eliptic Curve over Fp Suitable for Cryptosystems. 
LNCS: Advances in Cryptology-.AUS CRYPT’ 92, 950:389-399, 1992. 

P.L. Montegomery. Modular Multiplicatio Without Trial Division. Mathematics 
of Computation, 44(170) ;519-521, 1985. 

Carlos J. Moreno. Algebraic Curves over Finite Fields. Number Cambrdge 
tracts in Mathematics-97. Cambridge University Press, 1993. 

R.C. Mullin, I.M. Onyszchuk. S.A. Vanstone, and R.M. Wilson. Optimal Nor- 
mal Bases in GF{p”'). Discrete Applied Mathematics, 22:149-161, 1989. 

Willi Meier and Othmar Staffelbach. Efficient Multiplication on Certain Non- 
supersingular Elliptic Curves. Lecture Notes in Computer Science, pages 333- 
344, 1991. 

David Naccache and David M’Raihi. Cryptographic Smart Cards. IEEE Micro, 
pages 14-24, June 1995. 

Jim K. Omura. Novel Applications of Cryptgraphy in Digtal Communications. 
IEEE Communication Magazine, pages 21-28, May 1990. 

Takashi Ono. A Introduction to Algebraic Number Theory. Plenum Press, 19W. 

Holger Orup, Erik Svendsen, and Erik Andreasen. VICTOR: An Efficient RSA 
Hardware Implementation. LNCS: Advances in Cryptology ’92, pages 245-252, 
1992. 



[PH78] S. Pohlig and M. H6llnian. An Improved Algorithm for Computing Logarithms 
over GF(p) and its Cryptographic Significance. IEEE Transaction on Informa- 
tion theory, 24:106-110, March 1978. 

[PoI78] J. Pollard. Monte Carlo Methods for Index Computation modp. Mathematics 
of Computation, 32:918-924, 1978. 

[PS92] A. N. Parshin and I.R. Shafervich. Number Theory II: Algebraic Number Theory. 
Number EMS-60. Springer- Verlag, 1992. 

[PS93] A. N. Parshin and I.R. Shafervich. Number Theory I: Fundamental Problems, 
Ideas and Theories. Number EMS-49. Springer- Verlag, 1993. 

[Roo95] Peter De Rooij. Efficient Exponentiation Using Precomputations and Vector 
Addition Chains. LNCS:Advances in Cryptology-EURO CRYPT-94, 950:389- 
399, 1995. 

[Ros94] H. E. Rose. A Course in Number Theory. Clarendon press, 1994. 

[Sch85] Rene Schoof. Elliptic Curves over Finite Fields and the Computation of Square 
Roots mod p. Mathematics of Computation, 44(170) :483-494, April 1985. 

[Sch89] C.P. Schnorr. Efficient Identification and Signatures for Smart Cards. 
LNCS:Advances in Cryptology-CRYPTO’89, pages 4222-4228, 1989. 

[Sch93] Bruce Schnneier. Applied Cryptography. John Wiley & Sons, Inc., 1993. 

[SegSO] Sanford L. Segal. Nine Introduction in Complex Analysis. Number North- 
Holland Mathematics Studies-53. North-Holland Publishing Company, 1980. 

[Shi7l] G. Shimura. Introduction to the Arithmetic Theory of Automorphic Forms. 
Princeton University Press, 1971. 

[SHL84] C. P. Scnoorr and Jr. H.W. Lenstra. A Monte Carlo Factoring Algorithm with 
Linear Storage. Mathematics of Computation, 43 (167): 289-31, July 1984. 

[Sil85] Joseph H. Silverman. The Arithmatic of Elliptic Curves. Number GTM-106. 
Springer- Verlag, 1985. 

[Sil94] Joseph H. Silverman. Advanced Topics in the Arithmatic of Elliptic Curves. 
Number GTM-151. Springer- Verlag, 1994. 

[Sim9l] G. Simmons, editor. Contemporary Cryptography: The Science of Information 
Integrity. IEEE Press, New York, 1991. 


135 



[Sta95] 

[Ste85] 

[TV91] 

[VVDJ92] 

[Wal62] 

[Web02] 

[WP90] 

[WTS+85] 

[^^^un83] 

[Zur94] 


William Stalling. Network and Internetwork Security Principles and Practice. 
IEEE Press, Prentice Hall, Englewood Cliffs, New Jersy 07632, 1995. 

N.M. Stephens. Lenstra’s Factorization Method Based on Elliptic Curves. 
LNCS:Advances in Cryptology-CRYPTO’85, 218:409-416, 1985. 

M. A. Tsfaman and S.G Vladut. Algebraic Geometric Codes. Number Math- 
ematics and its Applications. Soviet Series-58. Kluwer Academic Publishers, 
1991. 

Andre Vandemeulebroecke, Etienne Vanzieleghem, Tony Denayer, and Paul 

G. A. Jespers. A Single Chip 1024 Bits RSA Processor. LNCS: Advances in 
Cryptology ’9 2 , pages 219-236, 1992. 

R.J. Walker. Algebraic Curves. Dover, New York, 1962. 

H. Weber. Lehrbuch der Algebra, volume I,II,III. Chelsea, New York, 1902. 

Charles C. Wang and Dingyi Pei. A VLSI Design for Computing Exponentiation 
in GE(2") and Its Application to Generate Pseudorandom Numbers Sequences. 
IEEE Tmsaction on Computers, 39(2):7258-262, February 1990. 

Charles C. Wang, T.K Truong, Howard M. Shao, Leslie J. Deutsch, Jim K. 
Omura, and Irving K. Reed. VLSI Architecture for Computing Multiplications 
and Inverses in GF(2"). IEEE Tmsaction on Computers, C-34(8):709-716, 
August 1985. 

kl.C. Wunderlich. A Performance Analysis of a Simple Prime-Testing Algo- 
rithm. Mathematics of Computation, 40(162):709-714, March 1983. 

Dan Zuras. More on Squaring and Multiplying Large Integers. IEEE Transac- 
tions on Computers, 43(8):899-908, August 1994. 


136 




123322 


I 

This book I* 
date last stamped. 


Mij 23322 

Ve returned on the 





